Over the last few years, virtualization has been successful at helping companies reduce the number of physical servers in data centers, leading to savings in space and power consumption. However, there is one area where consolidation has been elusive: network monitoring, analysis and security infrastructure.
In modern data centers, ensuring reliable and secure operation is a must, which in turn requires an array of network appliances dedicated to monitoring network performance and usage as well as providing security. This infrastructure is no longer optional, but a pre-requisite, especially as data traffic increases and more services are consolidated into larger private clouds.
New technology developments now make it possible to consolidate network appliances using some of the same principles and technologies that were used to consolidate application servers, including intelligent adapters and intelligent data distribution mechanisms. The solution enables companies to further reduce their data center footprint, saving not only on capital expenses by eliminating appliance hardware but ongoing operational expenses associated with managing the devices.
An Abundance of Appliances
Running an effective and efficient IP network supporting multiple services requires a number of management tools. Some tools are software-based but, increasingly, many take the form of hardware appliances, such as:
- Network and application performance managers to monitor and analyze network usage
- Firewalls and intrusion detection/prevention systems to detect and block malicious traffic
- Data loss prevention systems to ensure sensitive information is not inadvertently shared outside of the organization
- Security event and information managers to profile network behavior and monitor for anomalies
- Data retention systems to log data for regulatory compliance
Many of these solutions are based on probe architectures, which capture and analyze data in real-time either in passive, off-line or active in-line mode as a “bump-in-the-wire.” The challenge for these probe-based network appliances is keeping up with the speed at which traffic is delivered, as effective analysis requires that all data is available and none is lost.
Current Implementations — and Limitations
Traditionally, appliances live at the edge of the network where the LAN meets the WAN. It’s not uncommon that many network appliances need access to the same data on the same connections at the same time. These connections have traditionally been up to 1 Gbps, but now are increasing to 10G, 40G and even 100 Gbps to keep up with ever-increasing amounts of data traffic.
Technology and network appliance products that are widely deployed today can capture all traffic for analysis without packet loss across multiple 10 Gbps Ethernet ports. However, the majority of these are single-server implementations focusing on a specific task. This means that several network appliance devices need to access the same data at the same time.
Currently users address this problem by installing a load balancer or application delivery controller. A load balancer distributes data to multiple devices, to try to even out the load on the appliances. An application delivery controller takes the concept a step forward by adding some intelligence to the distribution decision by detecting which kind of data should be sent to which devices.
From a consolidation point of view, neither approach really helps. Bad enough that each network appliance is a separate device, but now an extra device (or devices) needs to be installed just to allow each appliance to access the same data.
The Consolidation Opportunity
A number of technology developments are converging to provide an opportunity to consolidate these network appliances, including:
- The availability of 40G/100G Ethernet standards
- Continually increasing processing power of CPU chipsets and standard servers
- The availability of intelligent network adapters
- Virtualization technology
The availability of 40G/100G Ethernet standards allows for higher-speed, highly scalable networks. Such networks enable users to consolidate multiple network appliances capable of 1 Gbps and 10 Gbps throughput on a single server supporting, for example, a 40 Gbps Ethernet interface or, eventually, 100 Gbps.
CPU chipsets from Intel and AMD continually improve — by up to 60% per year — and provide immense processing power, allowing for high-speed processing of data in real-time in user space. What’s more, the number of cores per CPU chip and number of cores per standard server are also increasing annually. This provides an opportunity to divide network monitoring, analysis and security tasks over multiple CPU cores and scale performance on a per-CPU core basis. Since many vendors already build their network appliances on standard servers, it’s possible to upgrade the server platform on an annual basis and increase performance with minimal impact to the network appliance application software.
A necessary pre-requisite to realize the above benefits is the use of intelligent network adapters. Unlike standard Network Interface Cards (NICs), intelligent network adapters are designed specifically for network monitoring and analysis applications and provide packet capture with zero packet loss, no matter the packet size or load on the network. NICs usually begin to lose packet data once the number of packets exceeds 1 million packets per second. A 10 Gbps port will be receiving up to 15 million packets per second, which clearly illustrates the need for intelligent network adapters.
Additionally, intelligent network adapters provide advanced frame decoding and flow identification features that allow data to be intelligently distributed to multiple CPU cores. In practice, this allows multiple dedicated applications to be executed at the same time, because the jobs are divided up among multiple cores on the same server.
This provides the first opportunity for consolidation. By using an intelligent network adapter in a standard server, it’s possible to have a number of applications running at the same time each being fed data from the intelligent network adapter. In this regard, it fulfills the same role as an application delivery controller, but inside the server.
With this solution, we can effectively consolidate the functionality of different network appliances on a single physical server and remove a load balancer or application delivery controller from equation.
Consolidation Using Virtualization
In some instances, however, this consolidation approach can be a challenge. For example:
- When the applications to be consolidated are running on different or legacy versions of operating systems
- When the applications to be consolidated require full control over server resources
In these circumstances, using a virtualization solution such as VMware can help.
With virtualization, it’s possible to migrate network appliance application software to a virtual machine, which can provide exactly the environment the application software requires (e.g. operating system, system settings etc.). To the application software, it appears as if it is running on a physical over which it has full control.
Making this solution possible requires a few ingredients:
- A data distribution virtual machine to act as a server providing data to multiple virtual machine clients
- An intelligent network adapter to capture data and provide data distribution intelligence
- A data distribution mechanism or protocol between the server and client virtual machines
In the case of VMware, a data distribution server virtual machine could use VMware DirectPath to control a 40 Gbps Ethernet intelligent network adapter. The data distribution virtual machine can thus distribute data to each appliance virtual machine on a per- port, protocol, flow or service basis or it can replicate the same data to multiple virtual clients.
The VMware Virtual Machine Communication Interface (VMCI) protocol could be used to transport up to 30 Gbps of captured data between the data distribution server and the various clients. Any number of virtual machine clients could be supported as long as the combined amount of data provided to each client does not exceed 30 Gbps.
With this solution, multiple network appliances can be consolidated onto a single server and the load balancer or application delivery controller can be removed. In short, you’ve achieved consolidation of network appliances in the data center.
What’s more, since the solution is based on standard server hardware and off-the-shelf products, it is an extremely cost effective means of consolidation that can help data centers continue to stay ahead of the cost curve while supporting ever-increasing amounts of data traffic.
Dan Joe Barry is vice president of marketing for Napatech, a provider of intelligent network adapters (www.napatech.com).