Virtualization Report | David Marshall » TAG: Network Virtualization

March 26, 2008 | Comments: (0)

Virtual security switch technology launched by Montego Networks

TAGS: Network Virtualization

Just before the start of the 2008 RSA Conference, Co-Founders Bob Darabant (CEO) and John Peterson (CTO) announced the launch of Montego Networks, a new company whose Montego HyperSwitch technology is described as an innovative virtual security networking solution that delivers policy enforcement, access control, and secure switching for virtual networks.

With everything happening around the announcement, I was still able to catch up with John Peterson so that I could find out more information about his latest venture.

Q: How did Montego Networks get its start? What brought your company into this virtualization space?

A: The founders of Montego Networks recently came from Reflex Security which is providing solutions in the virtual security space. After spending much time talking to customers about their security challenges in the virtual world our CEO (former EVP of Sales and Marketing at Reflex) and myself, CTO (Former Chief Product Officer at Reflex) saw an opportunity to solve a different, more pressing problem than what Reflex was trying to solve. Thus we decided to step out on our own to build a product / company. We chose the name Montego Networks because Montego Bay Jamaica, one of my favorite spots in the Caribbean, coveys an image of relaxation and ease of mind. Everything in Jamaica is said to be not a problem ("No Problem Man"). So, given that securing networks is always challenging and often stressful - we wanted to build a company that delivers solutions that were easy to use and helped removed some of the stress associated with security.

Q: As virtualization continues to expand in the datacenter, what are some of the challenges that people can expect to face, and how does Montego Networks hope to answer those challenges?

A: "Virtual server sprawl" means more resources to protect and more resources that have the potential to communicate with each other outside of security guidelines. Montego Networks offers products that allow virtual servers to be isolated from each other and allowed to communicate with each other - only if security policy has been defined. Early on, customers would put like types of servers/applications in the same trust domain but now customers are putting a mixture of virtual servers in the same trust domain. This development is driving an emerging need for virtual server isolation. The Challenge? How to do this in the environment (ie. In the vswitch) and how do you do this in a way not to cause major negative impacts on network performance.

Montego solves these challenges by offering a high performing solution that allows security controls between virtual machines. We've married security and networking to accomplish this - and do so through our Montego HyperSwitch product which is the world's first "virtual security switch". Montego not only has security technologies such as Firewalls, but we also have networking technologies such as server load balancing, QoS, Network Discovery, 802.1D Spanning Tree, 802.1Q VLANs, etc.

Q: A number of solutions recently appeared on the market, and others have been around for some time now, each trying to address security and virtual networking.
What makes you stand out? Or how does Montego differ?

A: Montego Networks only sees a new company called Altor Networks as a competitor. Their messaging is very similar to ours although we believe they will not have a product until late summer 2008. We don't see other competitors in the market and feel there are good reasons for them to want to partner with Montego. When people think of "security in the virtual environment" they think that everyone is in the same bucket and compete with each other. While we may compete for the same mindshare, we all offer very different solutions that address very different problems. For example, Blue Lane provides Patch Management, Montego provides Firewalling and Reflex Security provides IPS. All three technologies are needed and do not compete. Its like saying Trend Micro competes against NetScreen. Montego Networks will be able to partner with those types of companies because we believe we are an enabler for security within the virtual environment. We are able to extend our capabilities of VM to VM inspection to our partners. Today Blue Lane, Reflex and others are not providing VM to VM security. Through Montego's "Policy Based Switching" capability we can have either of those solutions hang off of our solution and send traffic to their inspection engines on a VM to VM basis. This also improves performance for those applications because now no longer are they forced to inspect 100% of the traffic like an inline device but maybe only 10% of the traffic because the user can now define policy around what he wants to have inspected by those 3rd party applications. For example, a network manager might want to set a policy that defines that only Virtual Server #1 will be inspected by Blue Lane (because it is a more critical asset).

Q: Can you tell us more about your HyperSwitch technology?

A: The HyperSwitch technology delivers an integration of security and switching - to provide a secure environment for resources managed by the HyperVisor (Virtual Servers and Virtual Desktops). The technology intercepts traffic from the vSwitch (the name used in the case of VMWare) and matches the traffic against its security policies and if allowed to flow we will deliver the traffic back to the vSwitch so that it can be delivered to its final destination. We basically grab the packets, inspect it and then switch it back. The security policies that can be put on the packets are by way of our multi-firewall and 3rd party inspection approach. We have a Layer 2 Firewall, L3-L4 Firewall, Identity Firewall, and Content Firewall. Outside of that we can forward traffic to 3rd party security applications such as Blue Lane, Catbird, StillSecure, Reflex and others. All of this is VM to VM which no one else on the market offers today (Altor just released claims to their ability to do this and although we believe they will some day, they do not today).

Q: What virtualization platforms do you currently support? And what are your plans for additional platform coverage?

A: Our initial release supports VMWare today - however the product technically works in Citrix, Virtual Iron, and other XEN based environments. We also plan to support Microsoft when they release. The reason we have not announced official support is mostly due to product testing, documentation and readiness vs. technical challenges. We plan to be heterogeneous.

For more information about the company and its product, you can listen to their podcast on their home page, or watch their product preview video.

Again, I'd like to thank John Peterson, Chief Technology Officer and Co-Founder of Montego Networks, for taking time out to speak with me.

Posted by David Marshall on March 26, 2008 04:42 PM

July 28, 2007 | Comments: (0)

Cisco Gears Up for Data Center 3.0 with VFrame

TAGS: Network Virtualization

While at its Networkers conference in Anaheim, CA, Cisco announced its roadmap plan, calling it - "Data Center 3.0". The funny thing is, I just got used to living in the "Data Center 2.0" era described to me some six or so months ago. My how these things fly! I half expect someone to declare Data Center 4.0 by the end of the year... ok, perhaps 3.5.

In any case, part of this announcement from Cisco included the introduction to its VFrame Data Center (VFrame DC), an orchestration platform that leverages network intelligence to provision resources together as virtualized services. Cisco claims this approach greatly reduces application deployment times, improves overall resource utilization, and offers greater business agility. Further, VFrame DC includes an open API, and easily integrates with third party management applications, as well as best-of-breed server and storage virtualization offerings.

VFrame DC is a highly efficient orchestration platform for service provisioning which requires only a single controller and one back-up controller. The real time provisioning engine has a comprehensive view of compute, storage and network resources. This view enables VFrame DC to provision resources as virtualized services using graphical design templates. These design templates comprise one of four VFrame DC modular components: design, discovery, deploy, and operations. These components are integrated together with a robust security interface that allows controlled access by multiple organizations.

"VFrame Data Center offers unprecedented orchestration within the data center network, for dynamically re-programming server, storage and network resources into agile application services," said Jayshree Ullal, Senior Vice President, Data Center, Switching and Security Technology Group, Cisco. "This agility addresses the need for greater time to market for complex E-commerce application deployments by customers."

Cisco VFrame Data Center components include:

• Cisco VFrame Data Center Appliance: Central controller that connects to Ethernet and Fibre Channel networks
  
• Cisco VFrame Data Center GUI: Java-based client that accesses application running on VFrame Data Center Appliance
  
• Cisco VFrame Web Services Interface and Software Development Kit: Programmable interface that allows scripting of actions for Cisco VFrame Data Center
  
• Cisco VFrame Host Agent: Host agent that provides server heartbeat, capacity utilization metrics, shutdown, and other capabilities
  
• Cisco VFrame Data Center Macros: Open interface that allows administrators to create custom provisioning actions

The technology, while impressive, isn't new. Back in 2005, Cisco purchased the Mountain View, CA company Topspin for $250 million. Topspin focused on server fabric switches providing a high performance, programmable infrastructure for grid and utility computing, clustered enterprise applications, and server virtualization.

With virtualization becoming the "next best thing" in IT, what better time to dust off this technology and reintroduce it to the market. VFrame DC is an important component to help Cisco reach its vision for the next generation datacenter which includes the real-time, dynamic orchestration of infrastructure services from shared pools of virtualized server, storage and network resources, and optimizing application service-levels, efficiency and collaboration.

Posted by David Marshall on July 28, 2007 07:24 AM

September 19, 2006 | Comments: (0)

NetXen's I/O Virtualization Unleashes Potential of Server Virtualization

TAGS: Network Virtualization

NetXen, Inc. introduced a complete I/O architecture that unleashes the potential of server virtualization.

Based on new functionality for the company's Intelligent NIC family, the NetSlice architecture dramatically improves a server's I/O performance by supporting multiple virtual I/O channels. By offloading network interface tasks from the host server, the NetSlice architecture allows datacenters to greatly increase server consolidation with virtual machine scalability -- one of the primary goals of server virtualization strategies.

Because NetXen's new I/O virtualization architecture leverages the company's programmable Intelligent NIC, datacenters get a flexible platform that accommodates a wide variety of virtualization schemes. As standards become available for I/O virtualization, the NetSlice architecture can easily adopt them to provide the highest possible performance at each step in the technology's evolution.

"I/O virtualization extends the benefits of server consolidation strategies built upon virtual machines," said Anne MacFarland of The Clipper Group, Inc. "Server consolidation is a common trend in the datacenter, but it can result in I/O contention between VMs, impeding performance. I/O virtualization addresses this issue. That it allows more rapid provisioning and simplified system management is the icing on the cake."

"Virtualization and the convergence of networking, clustering and storage are major drivers in next-generation datacenter networks," observed NetXen's vice president of marketing, Vikram Karvat. "In this environment, Intelligent NICs are the ideal solution because they offer scalability and bandwidth, as well as the flexibility to accommodate changing standards."

The NetSlice architecture introduced today provides a broadly applicable set of functions for I/O virtualization, including support for as many as 1,024 VMs, multiple DMA engines, DMA remapping for PCIe-related activities, interrupt moderation for managing each virtual channel independently, mapping of multiple MAC addresses to the virtual NICs of a given VM, multiple transmit and receive queues dedicated to each VM, and virtual switching and traffic steering based on Layer 2 and Layer 3 packet header information.

NetXen has configured these functions to work with currently available server virtualization hardware and software. Since the industry has yet to establish standards for I/O virtualization, NetXen offers operating-system- specific solutions when necessary. As standardized schemes become available, they can easily be implemented in NetXen's Intelligent NICs via firmware upgrades. Datacenter investments in the new virtualized I/O architecture are thus protected into the foreseeable future.

In addition to introducing the NetSlice I/O virtualization architecture, NetXen is announcing support for VMware's ESX3 system. The new NetSlice I/O architecture works with the ESX3 system to enhance VM scalability.

The ultimate goal of the NetSlice architecture is to optimize the VMs' I/O subsystem for direct access to I/O resources. Ultimately, the VMs will bypass the host-based protocol stacks for nearly all networking functions.

Posted by David Marshall on September 19, 2006 06:45 PM

August 27, 2006 | Comments: (0)

Stealth Virtualization Start-Up with a Who's Who List

TAGS: Network Virtualization

Multiple sources in the industry are talking about a new start-up venture that is being launched in the San Jose area - called Nuova Systems or Nuova Impresa (Italian for 'new enterprise'). There doesn't seem to be a lot of information about the company floating around, but bits and pieces of information have materialized here and there about this stealthy project.

The company is supposedly working on some type of virtualization project in the storage networking space that would combine storage, networking and computing technology in a single box.

According to The Register, "The system is meant to align with Cisco and Intel's larger strategy around Data Center Ethernet (DCE)". They continue, "Broadly, DCE is a proposal to add more virtualization to networks and make it possible for myriad types of traffic to share Ethernet networks. It's not hard to imagine a company such as Cisco seeing Nuova and DCE as a means of encroaching on the turf of Sun, IBM, HP and Dell."

ByteandSwitch describes what the company is doing as "trying to aggregate compute IO from the server and centralize it into a single or small number of network elements, connected back to the servers via a high-speed low-latency 'closed' network". This frees up processor memory and CPU cycles so that larger clusters of servers are possible.

According to both The Register and ByteandSwitch, Nuova seems to be attracting some top-name talent to the organization. According to different reports, names being mentioned as coming aboard this stealthy operation are:

Tom Lyon, founder of Ipsilon Networks, an early contender in IP switching that was acquired by Nokia.

J.R. Rivers, the Cisco Distinguished Engineer who led the team developing the Catalyst 3750 enterprise switch.

Ed Bugnion, founder and former CTO of VMware, the recognized virtualization leader in the industry.

Fabio Ingrao, the project lead for server start-up Fabric7.

Dan Lenoski, the former VP of engineering at Cisco.

As you can see, if reported correctly, it is definitely a who's who list of players.

Posted by David Marshall on August 27, 2006 07:49 AM

June 11, 2006 | Comments: (0)

Network Virtualization - Enter Project Crossbow

TAGS: Network Virtualization

How cool would it be to be able to divide your physical network interface card (NIC) into several virtual interface cards and have the ability to prioritize networking traffic as well as having full resource control? Well, it could be a reality as Sun researchers and project "Crossbow" attempt to solve networking problems by making sure each application gets a set amount of bandwidth.

The project is described in the following way:

Crossbow provides the building blocks for network virtualization and resource control by virtualizing the stack and NIC around any service (HTTP, HTTPS, FTP, NFS, etc.), protocol or Virtual machine.

Each virtual stack can be assigned its own priority and bandwidth on a shared NIC without causing any performance degradation. The architecture dynamically manages priority and bandwidth resources, and can provide better defense against denial-of-service attacks directed at a particular service or virtual machine by isolating the impact just to that entity. The virtual stacks are separated by means of H/W classification engine such that traffic for one stack does not impact other virtual stacks.

Project Crossbow is next step in the evolution of Solaris networking stack and brings bandwidth resource control and virtualization as part of the architecture itself instead of the usual add-on layers which have heavy overheads and complexity.

Project Crossbow is an OpenSolaris Project. More information about the project can be found on their official Web site, here.

Posted by David Marshall on June 11, 2006 07:03 AM