Virtualizing the Network

1
Virtualizing the Network

• there is no spoon

there is no spoon
Peninsula Users Group October 25rd, 2007
2
About Untangle

• Open Source Network Gateway
• GPLv2
• 12 Open Source Applications
• Firewall, VPN, IPS, Spam, Spyware, AV, web filter
  more
• Designed for Small Business
• Easy to install manage w/ GUI, logging
  reporting
• Untangle sells
• Live phone support
• An extra application (clientless VPN)
• Download on SourceForge
• http//sourceforge.net/projects/untangle
• ISO Image
• VMWare Image

3
whoiam

• Untangle Founder CTO

• Career highlights
• Major projects
• High Bandwidth Transparent Vectoring for proxy
  firewall engines
• Java-based distributed monitor and intrusion
  detection systems.
• Survivability simulations in support of fault
  tolerant systems
• Work History
• CERT/CC (Computer Emergency Response Team)
• Akheron Technologies, Chief Architect.
• VerticalNet and H.L.L.C. Consulting
• Education
• Carnegie Mellon University , Bachelor's degree
  in Computer Science with a minor in Mathematics

Read Dirks blog - http//blog.untangle.com/
3
3
4
The Simpler Way to Protect, Control and Monitor
your network
SMB network the HARD way!
SMB Adoption

• Firewall
• Email Server
• File Server
• Anti-Virus
• Anti-Spam
• Anti-Spyware
• VPN
• Web Filtering
• Intrusion Prevention
• Reporting
• IM/P2P/QoS
• Archiving/Backup

high
high
high
New Threats Apps
high

• Phishing
• SSL VPN
• VOIP
• NAC
• Future Threats/Apps?

medium
low
medium
low
low
low
low
low
OR
SMB network the SIMPLE way!
virtual 19 rack

• Firewall
• Email Server
• File Server
• Anti-Virus
• Anti-Spam
• Anti-Spyware
• VPN
• Web Filtering
• Intrusion Prevention
• Reporting
• IM/P2P/QoS
• Archiving/Backup

online library
New Threats Apps

• Phishing
• SSL VPN
• VOIP PBX
• NAC
• Future Threats/Apps?

a
5
Untangle Implementation
Behind the firewall router
As the firewall router
Untangle
Untangle
6
What is a Virtual Network?
wikipedia definition
A virtual network provides the functionality, or
application programming interface (API), of links
between nodes, as in a computer network. The
implementation of these virtual links may or may
not correspond to physical connections between
nodes.
what its not physical transport medium
7
Background
2002

• Instant Messaging
• P2P blocking
• Anti-virus
• IPS (snort)
• etc

trends

• Consolidation

• Software (vs ASIC)

8
Attempt 1 the VMWare approach
kernel
advantages
disadvantages

• fairly simple for applications

• terrible resource contention - latency
• high overhead of virtualization
• no sharing data

9
Attempt 2 the proxy chaining approach
kernel
proxy 1
proxy 2
proxy 3
proxy 4
advantages
disadvantages

• less overhead

• bad resource contention - latency
• more complicated

9
10
Proxy Chaining (latency issue)
Context Switches
4
Data from the network
Buffer Copies
5
Application Proxy
Light Load
Moderate Load
Thread / Process
Proxy Chain
Run Queue
CPU
11
Proxy chaining and VMWare latency behavior
12
Attempt 3 the pipelining approach
kernel
node 1
node 2
node 3
node 4
advantages
disadvantages

• apps need to be ported to threading model

• less resource contention

12
13
Virtual Pipelining
Context Switches
1
Data from the network
Buffer Copies
2
Application Module
Moderate Load
Light Load
Thread / Process
Virtual Pipeline
gt8x improvement
CPU
Run Queue
14
Latency vs previous approaches problem solved
15
Virtual Network tricks
virtual networks are different than physical
networks

• dynamic reconfiguration (per session)
• object passing data sharing
• share common resources (reports, alerts,
  management, etc)
• backup and restore of entire network

16
Redefining the Network

• Benefits
• Significantly cheaper
• Allow for quick application adoption and
  management
• Enhanced applications

our goal run your entire network in one machine