Lindsay Hill comments on his blog:
Almost every SDN vendor today talks about policy, how they make it easy to express and enforce network policies. Cisco ACI, VMware NSX, Nuage Networks, OpenStack Congress, etc. This sounds fantastic. Who wouldn’t want a better, simpler way to get the network to apply the policies we want? But maybe it’s worth taking a look at how we manage policy today with firewalls, and why it doesn’t work.
Lindsay points out a great number of the issues with policy implementations as they exist today. Is policy flawed? Or have we perverted it by bolting it onto devices that shouldn’t have been running it in the first place?
Read more at: Using Firewalls for Policy Has Been a Disaster