virtualizing the network
DESCRIPTION
Virtualizing the Network. …there is no spoon. November 7th, 2007. there is no spoon. Next Meeting: Nov 20 th – 6:30pm “ACCRC+Linux: Saving Computers from Landfills” Location: Four Seas Restaurant 731 Grant Ave San Francisco, CA. 2008 Speaker Lineup Jan – Eric S. Raymond - PowerPoint PPT PresentationTRANSCRIPT
Virtualizing the Network…there is no spoon
there is no spoon
November 7th, 2007
BALUG is Back! …for a Blockbuster 2008
Next Meeting:
Nov 20th – 6:30pm “ACCRC+Linux: Saving Computers from Landfills”
Location:
Four Seas Restaurant
731 Grant Ave
San Francisco, CA
2008 Speaker Lineup
• Jan – Eric S. Raymond• Feb – Bruce Perens• March – TBD • April – Eric Allman• May – Jeremy Allison• June – Andrew Morton
About Untangle
• Open Source Network Gateway GPLv2
• 12 Open Source Applications Firewall, VPN, IPS, Spam, Spyware, AV, web filter & more
• Designed for Small Business Easy to install & manage w/ GUI, logging & reporting
• Untangle sells… Live phone support An extra application (clientless VPN)
• Download on SourceForge http://sourceforge.net/projects/untangle ISO Image VMWare Image
44
whoiam
Untangle Founder & CTO
Career highlights
Major projects• High Bandwidth Transparent Vectoring for proxy firewall engines• Java-based distributed monitor and intrusion detection systems. • Survivability simulations in support of fault tolerant systems
Work History• CERT/CC (Computer Emergency Response Team)• Akheron Technologies, Chief Architect. • VerticalNet and H.L.L.C. Consulting
Education• Carnegie Mellon University , Bachelor's degree in Computer Science with a minor in Mathematics
Read Dirk’s blog - http://blog.untangle.com/
a
The Simpler Way to Protect, Control and Monitor your network
low
low
Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
` `` `
URL
AntiVirus
SMB network – the HARD way!
Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
Spyware Report
SMB network – the SIMPLE way!
IPS
VPN
highhighhighhighmedium
medium
lowlowlowlow
Phishing SSL VPN VOIP NAC Future Threats/Apps?
New Threats & Apps
online library
Phishing SSL VPN VOIP PBX NAC Future Threats/Apps?
New Threats & Apps
OR virtual 19” rack
SMB Adoption
` `` `
Untangle Implementation
Behind the firewall & router As the firewall & router
Untangle
Untangle
What is a Virtual Network?
A virtual network provides the functionality, or application programming interface (API), of links between nodes, as in a computer network. The implementation of these virtual links may or may not correspond to physical connections between nodes.
-Wikipedia
Old School: The Mainframe in a Box
8
New School: The Network Rack in a Box
9
What Can’t be Virtualized
• Physical Transport Mediums – Wires & Cables– Etc.
How the Idea Was Born
11
• Consolidation
` `` `
Back in 2002…
• Instant Messaging• P2P blocking• Anti-virus• IPS (snort)• etc
trends
• Software (vs ASIC)
Attempt #1 – the “VMWare” approach
12
` `` `
• terrible resource contention - latency• high overhead of virtualization• no sharing data
Pros Cons• fairly simple for applications
kernel
Attempt #2 – the “proxy chaining” approach
13
` `` `
13
• bad resource contention - latency• more complicated
Pros Cons• less overhead
proxy 1
proxy 2
proxy 3
proxy 4
kernel
Proxy Chaining (latency issue)
Buffer Copies:
Proxy Chain
Data from the network
Context Switches:
Application Proxy
CPU
Thread / Process
Run Queue
=4
=5
Avg Run Queue Wait 20 msec
Context Switches 4
Latency Overhead 80+ msec
Avg Run Queue Wait 20 msec 60 msec
Context Switches 4 4
Latency Overhead 80+ msec 240+ msec
Light Load Moderate Load
Proxy chaining and VMWare latency behavior
Actual Latency
User Noticeable Latency
Attempt #3 – the “pipelining” approach
16
` `` `
16
• app’s need to be ported to threading model
advantages disadvantages
• less resource contention
node 1
node 2
node 3
node 4
kernel
Virtual Pipelining
Buffer Copies:
Virtual Pipeline
Data from the network
Context Switches:
Application Module
CPU
Thread / Process
Run Queue
=1
=2
Avg Run Queue Wait 10 msec 30 msec
Context Switches 1 1
Latency Overhead 10 msec 30 msec
Light Load Moderate Load
>8x improvement
Latency vs previous approaches – problem solved
Proxy/VMware Latency
User Noticeable Latency
Untangle Latency
Virtual Network tricks
• dynamic reconfiguration (per session)
• object passing & data sharing• share common resources (reports, alerts, management, etc)
• backup and restore of entire network
virtual networks are different than physical networks
Redefining the Network
Benefits• Significantly cheaper• Allow for quick application adoption and management• Enhanced applications
our goal: run your entire network in one machine
Live Demo
Q&A
What The F*ck is That?
Untangle is Hiring!
Sr. QA Test Engineer• 6+ years testing experience• Experience testing GNU/Linux• Experience with Network testing
Linux SysAdmin & Support• 5+ years testing experience• VOIP experience a big plus
About Untangle• Small tight-knit company ~ 30 people• Located in San Mateo, CA• Great salary, benefits & startup options• Get to ride in the Pinzgauer!