Virtualizing the Network

there is no spoon

there is no spoon Stanford Linux Users Group October 23rd, 2007

About Untangle

Open Source Network Gateway

GPLv2

12 Open Source Applications

Firewall, VPN, IPS, Spam, Spyware, AV, web filter & more

Designed for Small Business

Easy to install & manage w/ GUI, logging & reporting

Untangle sells…
 

Live phone support An extra application (clientless VPN)

Download on SourceForge
• •

ISO Image VMWare Image

whoiam
Untangle Founder & CTO
Career highlights
Major projects • High Bandwidth Transparent Vectoring for proxy firewall engines
• Java-based distributed monitor and intrusion detection systems. • Survivability simulations in support of fault tolerant systems

Work History
• CERT/CC (Computer Emergency Response Team) • Akheron Technologies, Chief Architect. • VerticalNet and H.L.L.C. Consulting

Education • Carnegie Mellon University , Bachelor's degree in Computer Science with a minor in
Mathematics

Read Dirk’s blog - http://blog.untangle.com/
3 3

What is a Virtual Network?
wikipedia definition:

A virtual network provides the functionality, or application programming interface (API), of links between nodes, as in a computer network. The implementation of these virtual links may or may not correspond to physical connections between nodes.

4

what its not: physical transport medium

Background 2002

• Instant Messaging • P2P blocking • Anti-virus • IPS (snort) • etc
trends
` ` ` `

• Consolidation • Software (vs ASIC)
5

Attempt #1 – the “VMWare” approach

kernel

`

`

`

`

advantages

disadvantages
6

• fairly simple for applications

• terrible resource contention - latency • high overhead of virtualization • no sharing data

Attempt #2 – the “proxy chaining” approach

proxy 1 proxy 2
kernel

proxy 3 proxy 4
` ` ` `

advantages

disadvantages
7

• less overhead

• bad resource contention - latency • more complicated

Proxy Chaining (latency issue)
Context Switches:
Data from the network Application Proxy
Light Load Moderate Load

=4 =5

Buffer Copies:

Thread / Process

Avg Run Queue Wait Context Switches Latency Overhead

20 msec 4 80+ msec

60 msec 4 240+ msec

Proxy Chain

CPU

Run Queue

Proxy chaining and VMWare latency behavior

Attempt #3 – the “pipelining” approach

node 1 node 2
kernel

node 3 node 4
` ` ` `

advantages

disadvantages

• less resource contention

• app’s need to be ported to threading model
10

Virtual Pipelining
Context Switches:
Data from the network Application Module Thread / Process Avg Run Queue Wait Context Switches Latency Overhead

=1 =2
Moderate Load

Buffer Copies:
Light Load

10 msec 1 10 msec

30 msec 1 30 msec

Virtual Pipeline >8x improvement

CPU

Run Queue

Latency vs previous approaches – problem solved

Virtual Network tricks
virtual networks are different than physical networks

• dynamic reconfiguration (per session) • object passing & data sharing • share common resources (reports, alerts, management, etc) • backup and restore of entire network

Redefining the Network Benefits • Significantly cheaper • Allow for quick application adoption and management • Enhanced applications

our goal: run your entire network in one machine

Untangle Implementation (demo)
Behind the firewall & router As the firewall & router

t Un e gl an

ta Un ng le

The Simpler Way to Protect, Control and Monitor your network
SMB network – the HARD way!
           

Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting IM/P2P/QoS Archiving/Backup

SMB Adoption
high high high high medium low medium low low low low low
L UR
IPS

    

New Threats & Apps Phishing SSL VPN VOIP NAC Future Threats/Apps?

N VP
ail eM
s iru tiV An

a yw Sp

re

rt po Re

Fil

es

S Qo

a Sp

m

p cku Ba

`

`

`

`

SMB network – the SIMPLE way!
           

OR
virtual 19” rack

Firewall Email Server File Server Anti-Virus Anti-Spam Anti-Spyware VPN Web Filtering Intrusion Prevention Reporting a IM/P2P/QoS Archiving/Backup

online library

    

New Threats & Apps Phishing SSL VPN VOIP PBX NAC Future Threats/Apps?

`

`

`

`

Thanks!

Q&A

17

How to Work with Untangle

Open Source: Have at it Baby!!!!!!!

Vibrant forums & detailed support wiki

2)

Join our partner program

Professional package
• • •

Live support Additional management features Extra application – Clientless VPN

Partner Program Benefits • Recurring revenue & 25% - 35% margin depending on volume • Market development funds • Free 1-on-1 training