Virtualizing the Network
23
Virtualizing the Network …there is no spoon there is no spoon November 7th, 2007
description
Virtualizing the Network. …there is no spoon. November 7th, 2007. there is no spoon. Next Meeting: Nov 20 th – 6:30pm “ACCRC+Linux: Saving Computers from Landfills” Location: Four Seas Restaurant 731 Grant Ave San Francisco, CA. 2008 Speaker Lineup Jan – Eric S. Raymond - PowerPoint PPT Presentation
Transcript of Virtualizing the Network
Virtualizing the Network…there is no spoon
there is no spoon
November 7th, 2007
BALUG is Back! …for a Blockbuster 2008
Next Meeting:
Nov 20th – 6:30pm “ACCRC+Linux: Saving Computers from Landfills”
Location:
Four Seas Restaurant
731 Grant Ave
San Francisco, CA
2008 Speaker Lineup
• Jan – Eric S. Raymond• Feb – Bruce Perens• March – TBD • April – Eric Allman• May – Jeremy Allison• June – Andrew Morton
About Untangle
• Open Source Network Gateway GPLv2
• 12 Open Source Applications Firewall, VPN, IPS, Spam, Spyware, AV, web filter & more
• Designed for Small Business Easy to install & manage w/ GUI, logging & reporting
• Untangle sells… Live phone support An extra application (clientless VPN)
• Download on SourceForge http://sourceforge.net/projects/untangle ISO Image VMWare Image
44
whoiam
Untangle Founder & CTO
Career highlights
Major projects• High Bandwidth Transparent Vectoring for proxy firewall engines• Java-based distributed monitor and intrusion detection systems. • Survivability simulations in support of fault tolerant systems
Work History• CERT/CC (Computer Emergency Response Team)• Akheron Technologies, Chief Architect. • VerticalNet and H.L.L.C. Consulting
Education• Carnegie Mellon University , Bachelor's degree in Computer Science with a minor in Mathematics
Read Dirk’s blog - http://blog.untangle.com/
a
The Simpler Way to Protect, Control and Monitor your network
low
low
Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
` `` `
URL
AntiVirus
SMB network – the HARD way!
Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup
Spyware Report
SMB network – the SIMPLE way!
IPS
VPN
highhighhighhighmedium
medium
lowlowlowlow
Phishing SSL VPN VOIP NAC Future Threats/Apps?
New Threats & Apps
online library
Phishing SSL VPN VOIP PBX NAC Future Threats/Apps?
New Threats & Apps
OR virtual 19” rack
SMB Adoption
` `` `
Untangle Implementation
Behind the firewall & router As the firewall & router
Untangle
Untangle
What is a Virtual Network?
A virtual network provides the functionality, or application programming interface (API), of links between nodes, as in a computer network. The implementation of these virtual links may or may not correspond to physical connections between nodes.
-Wikipedia
Old School: The Mainframe in a Box
8
New School: The Network Rack in a Box
9
What Can’t be Virtualized
• Physical Transport Mediums – Wires & Cables– Etc.
How the Idea Was Born
11
• Consolidation
` `` `
Back in 2002…
• Instant Messaging• P2P blocking• Anti-virus• IPS (snort)• etc
trends
• Software (vs ASIC)
Attempt #1 – the “VMWare” approach
12
` `` `
• terrible resource contention - latency• high overhead of virtualization• no sharing data
Pros Cons• fairly simple for applications
kernel
Attempt #2 – the “proxy chaining” approach
13
` `` `
13
• bad resource contention - latency• more complicated
Pros Cons• less overhead
proxy 1
proxy 2
proxy 3
proxy 4
kernel
Proxy Chaining (latency issue)
Buffer Copies:
Proxy Chain
Data from the network
Context Switches:
Application Proxy
CPU
Thread / Process
Run Queue
=4
=5
Avg Run Queue Wait 20 msec
Context Switches 4
Latency Overhead 80+ msec
Avg Run Queue Wait 20 msec 60 msec
Context Switches 4 4
Latency Overhead 80+ msec 240+ msec
Light Load Moderate Load
Proxy chaining and VMWare latency behavior
Actual Latency
User Noticeable Latency
Attempt #3 – the “pipelining” approach
16
` `` `
16
• app’s need to be ported to threading model
advantages disadvantages
• less resource contention
node 1
node 2
node 3
node 4
kernel
Virtual Pipelining
Buffer Copies:
Virtual Pipeline
Data from the network
Context Switches:
Application Module
CPU
Thread / Process
Run Queue
=1
=2
Avg Run Queue Wait 10 msec 30 msec
Context Switches 1 1
Latency Overhead 10 msec 30 msec
Light Load Moderate Load
>8x improvement
Latency vs previous approaches – problem solved
Proxy/VMware Latency
User Noticeable Latency
Untangle Latency
Virtual Network tricks
• dynamic reconfiguration (per session)
• object passing & data sharing• share common resources (reports, alerts, management, etc)
• backup and restore of entire network
virtual networks are different than physical networks
Redefining the Network
Benefits• Significantly cheaper• Allow for quick application adoption and management• Enhanced applications
our goal: run your entire network in one machine
Live Demo
Q&A
What The F*ck is That?
Untangle is Hiring!
Sr. QA Test Engineer• 6+ years testing experience• Experience testing GNU/Linux• Experience with Network testing
Linux SysAdmin & Support• 5+ years testing experience• VOIP experience a big plus
About Untangle• Small tight-knit company ~ 30 people• Located in San Mateo, CA• Great salary, benefits & startup options• Get to ride in the Pinzgauer!
