16
Virtualizing the Network there is no spoon there is no spoon Peninsula Users Group October 25 rd , 2007
Virtualizing the Networkthere is no spoon
there is no spoonPeninsula Users Group
October 25rd, 2007
About Untangle
• Open Source Network Gateway GPLv2
• 12 Open Source Applications Firewall, VPN, IPS, Spam, Spyware, AV, web filter & more
• Designed for Small Business Easy to install & manage w/ GUI, logging & reporting
• Untangle sells… Live phone support An extra application (clientless VPN)
• Download on SourceForge http://sourceforge.net/projects/untangle ISO Image VMWare Image
33
whoiam
Untangle Founder & CTO
Career highlights
Major projects• High Bandwidth Transparent Vectoring for proxy firewall engines• Java-based distributed monitor and intrusion detection systems. • Survivability simulations in support of fault tolerant systems
Work History• CERT/CC (Computer Emergency Response Team)• Akheron Technologies, Chief Architect. • VerticalNet and H.L.L.C. Consulting
Education• Carnegie Mellon University , Bachelor's degree in Computer Science with a minor in Mathematics
Read Dirk’s blog - http://blog.untangle.com/
a
The Simpler Way to Protect, Control and Monitor your network
low
low
Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
` `` `
URL
AntiVirus
SMB network – the HARD way! Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
Spyware Report
SMB network – the SIMPLE way!
IPS
VPN
highhighhighhighmedium
medium
lowlowlowlow
Phishing SSL VPN VOIP NAC Future Threats/Apps?
New Threats & Apps
online library
Phishing SSL VPN VOIP PBX NAC Future Threats/Apps?
New Threats & Apps
OR virtual 19” rack
SMB Adoption
` `` `
Untangle Implementation
Behind the firewall & router As the firewall & router
Untangle
Untangle
What is a Virtual Network?
6
A virtual network provides the functionality, or application programming interface (API), of links between nodes, as in a computer network. The implementation of these virtual links may or may not correspond to physical connections between nodes.
wikipedia definition:
what its not: physical transport medium
Background
7
• Consolidation
` `` `
2002
• Instant Messaging• P2P blocking• Anti-virus• IPS (snort)• etc
trends
• Software (vs ASIC)
Attempt #1 – the “VMWare” approach
8
` `` `
• terrible resource contention - latency• high overhead of virtualization• no sharing data
advantages disadvantages
• fairly simple for applications
kernel
Attempt #2 – the “proxy chaining” approach
9
` `` `
9
• bad resource contention - latency• more complicated
advantages disadvantages• less overhead
proxy 1
proxy 2
proxy 3
proxy 4
kernel
Proxy Chaining (latency issue)
Buffer Copies:
Proxy Chain
Data from the network
Context Switches:
Application Proxy
CPU
Thread / Process
Run Queue
=4
=5
Avg Run Queue Wait 20 msec
Context Switches 4
Latency Overhead 80+ msec
Avg Run Queue Wait 20 msec 60 msec
Context Switches 4 4
Latency Overhead 80+ msec 240+ msec
Light Load Moderate Load
Proxy chaining and VMWare latency behavior
Attempt #3 – the “pipelining” approach
12
` `` `
12
• app’s need to be ported to threading model advantages disadvantages• less resource contention
node 1
node 2
node 3
node 4
kernel
Virtual Pipelining
Buffer Copies:
Virtual Pipeline
Data from the network
Context Switches:
Application Module
CPU
Thread / Process
Run Queue
=1
=2
Avg Run Queue Wait 10 msec 30 msec
Context Switches 1 1
Latency Overhead 10 msec 30 msec
Light Load Moderate Load
>8x improvement
Latency vs previous approaches – problem solved
Virtual Network tricks
• dynamic reconfiguration (per session)• object passing & data sharing• share common resources (reports, alerts, management, etc)• backup and restore of entire network
virtual networks are different than physical networks
Redefining the Network
Benefits• Significantly cheaper• Allow for quick application adoption and management• Enhanced applications
our goal: run your entire network in one machine
