Cisco Nexus 1000v: Free unless you want Security

While not particularly new news, the next version of the Cisco Nexus 1000v will be free, unless you want the security features. This is an interesting shift from Cisco with respect to VMware vCloud Director, the Nicira purchase, furthering UCS, and Cisco within non-UCS data centers. However, given other announcements, with respect to OpenStack, perhaps this is more a play to level the playing field between cloud architectures? But what I find most interesting, is that the changes to the Nexus 1000v also align with the changes we see in the vCloud Suites from VMware.

So why would Cisco take this step? There are several possibilities:

  • Outside of VCE the Nexus 1000v is not being sold
  • This is a step to get a Cisco device into every virtual and cloud environment build upon vSphere.
  • This is a step to full Cisco integration into OpenStack

In either case, we will see an uptick in Nexus 1000v usage within vSphere environments once the product becomes freely available with the only limiting factor being the price of Enterprise Plus required to run the Nexus 1000v. Cisco is a switch company, not necessarily a security company, so charging for security features seems a bit backwards when normally they charge per port.

I think this is a statement about more than just alignment with VMware’s vCloud Suite versions, it is a statement about Nicira. This move will allow Cisco to fully enter the vCloud Suite market as an alternative to Nicira and Open Flow. With VMware’s purchase of Nicira, it is now table-stakes to have a cloud-wide networking story and this is a move by Cisco to be there first with their own protocol stack (NVGRE,OTV,etc.) while still providing underlying support for VMware’s own vXLAN and other protocols.

The part of this announcement that is more interesting than the ever change field of network virtualization is the concept that the Nexus 1000v is free unless you want security.

Nexus 1000v: Free Unless you want Security

We need security, and we know it costs money to implement, but why add a premium to necessary security requirements? It just makes security less palatable to those who absolutely need to implement it, but do not.  Security today is still in a reactive state to the breaches encountered every day. Take a look at the average virtual or cloud environment? Who is running them, making decisions about the products within them, and why those decisions are being made?

The average virtual or cloud environment is run by retrained and possibly re-purposed Windows Administrators who are not Security Administrators. They initially virtualized to save money on Capex expenditures and continue to roll down this path.  They make their security purchasing decisions based on compliance requirements handed down by the CFO who does not want to be fined for missing compliance requirements.  The assumption being that if they are compliant they are secure. Other security decisions are made based on hypervisor hardening guides, once more to meet compliance check box requirements.

Now, VMware has made a change to their products, when you purchase VMware vCloud Suite you actually get vCloud Network and Security (vCNS, formerly vShield) Edge and App tools bundled within the Suite. In addition, as of vSphere 5.1, the former vShield Endpoint security product is now a part of base vSphere. So what does all this bundling mean?

Since those with Enterprise+ can upgrade to vCloud Suite Standard for free, they also get security tools for free. Which means that more administrators will start to use those tools. Yes, there will be an uptick in Software and Support subscription costs at the end of the day with vCloud Suites, but the benefits of having vCNS components available to many virtualization administrators are greater.

So how does the Nexus 1000v jive with this additional security functionality of vCloud Suites? It charges for necessary switch security components that would augment the security of any vCloud Suite implementation.  While it does cost more to protect your security investment within vCloud Suite (vCNS Load Balancing, High Availability) it also costs more to implement even more security with vCNS Data Security. However, the biggest difference between Cisco and VMware (at this time, while the free upgrades last) is that vCNS Standard ships with every upgraded vCloud Suite Standard.

To me, this implies, that vCNS security components will be used more and more. They are readily available to any who have upgraded to vCloud Suite, and could be the major reason to get this free upgrade while the upgrade window lasts.  Additional security at no cost is a huge win in a world where security administrators are starting to get heavily involved.

Free Unless you want EVEN MORE Security

Cisco should jump on this band wagon and provide all the Nexus 1000v features for free, including the standard port security options. But charge for even more security provided by the virtualized ASA and virtual Gateway that can augment a Nexus 1000v. This would align quite well with VMware’s own vCloud Suite free upgrade for vSphere Enterprise+ license holders.

Impacting the Market

Both of these changes will impact the virtualization security and networking markets, at least, for those who will upgrade to a vCloud Suite implementation from VMware. However, for those who do not upgrade, the market does not change. There is no bundled security within any edition of vSphere. Given this, the market for vSphere security tools will not change much. There is one exception to this, the former vShield Endpoint product which is now bundled with most versions of vSphere (all but Essentials), which implies that offload anti-virus and malware tools required by compliance regulations and most security policies may be cheaper to implement within a vSphere virtual environment. The impact to non-SMB customers could be quite large. But for SMB customers there is no real change.

Posted in SDDC & Hybrid Cloud, SecurityTagged , , , , , , ,