When I asked the question, “Why is virtualization of servers being adopted so quickly?” to determine what is driving next generation data center (NGDC) adoption, four common benefits consistently came into the conversation: consolidation, scalability, adaptability and automation.

Sure, not every person used these exact words, but the terms were all similar. So to amuse myself, I plugged all my research and notes from conversations into Wordle (www.wordle.net), a “word cloud” tool that is by far my new favorite work-time distraction. I purposely avoided using content I wrote for the Crossbeam Next Generation Data Center initiative to avoid skewing the results. The image below is what it produced.

Other than words that I suspected to come out on top – virtualization, security, next, generation, data and center – the most prevalent words related to consolidation, scalability, adaptability and automation.  If we examine these four benefit areas, it is clear to see how they relate to our goals for Next Generation Data Centers and how virtualization can enable them.

Consolidate

The concept of consolidation is not new; having the ability to get the highest level of performance out of the minimal number of devices has always been a goal. Virtualization and advances in processing power, backplanes and operating systems has made this a reality. Not only do we have more available performance, with virtualization, we have more intelligence in the way we distribute that performance. This allows us to use fewer boxes without impact to the way systems meet the demands of our environments.  From a non-technical perspective, virtualization lowers operating costs and reduces management complexity.

Scale

Many people have a hard time defining scalability. I have always defined it as the ability to meet current demands while being positioned to extend the same capabilities quickly when needed in the future. Scalability in the Next Generation Data Center is critical. There are countless predictions about the demands of future data centers, including how many and what types of devices each user will use to access data on the network, how many new users will be added to the network over time and how much throughput or growth will occur in terms of bandwidth requirements. The reality is there is no crystal ball that can predict the future, so the NGDC needs to be future-proofed in order to support whatever demands may be placed on it in years to come. Virtualization answers this by providing the ability to quickly implement additional resources to meet new demands.

Adapt

Adaptability is often confused with scalability. In my opinion, scale is about delivering the same capabilities at a larger capacity, and adaptability provides the flexibility to re-align to changing requirements that may not necessarily require the same capabilities. Here is where I think virtualization really pays off, because it enables organizations to add, remove or move resources quickly and easily to keep pace with ever-changing business demands.

Automate

Automation provides value from two perspectives. Firstly, automation allows organizations to replace the human element when performing monotonous activities. For example, configuring switches one by one can be replaced by sending the same update to a number of switches at a single time. Secondly, it allows us to address situations on our own schedule, instead of constantly putting out the most current fire. Think of a system that can instantly balance the workload across multiple resources – if certain resources fail, the environment can redistribute the load across the remaining resources. This may not deliver optimal performance, but it will allow the system to remain running and avoid catastrophic failure. Virtualization delivers this benefit by allowing for the automation of several tasks, including modifying setting across multiple VMs (virtual machines). Virtualization also allows for the movement of VMs without turning the VMs off resulting in zero-outages.

Thinking back to the conversations conducted during my research, I believe that consolidation, scalability, adaptability and automation are true benefits of the Next Generation Data Center. Having the ability consolidate to optimize our resources, scale to meet future demands, adapt to align to new demands and automate to make our lives easier can provide tremendous benefits from both a technical and business perspective.  With the amount of technology at our fingertips, it is clear that the evolution to the next generation data center will allow us to architect a future-proof, change-ready and business-enabling environment to meet today’s and tomorrow’s challenges.

We would like to hear your perspective about the benefits of virtualization.  Please post a comment below or feel free to contact me directly at brobertson@crossbeam.com.

1. Smoothing CPU spikes and increasing performance
2. Reducing hardware expenditures
3. Minimizing operational overhead

Given these benefits, it makes sense to consider virtualization any time it can eliminate more than one physical server for every hypervised server. For the most part, this is holds true for the average server where performance depends on CPU, memory, and disk access; modern hypervisors provide near-native performance for these resources.  But one area that hypervisors continue to struggle is in networking throughput.  Because they must emulate switch ports, queues, network cards, and potentially millions of CPU interrupts, networking throughput can take a significant toll on the host system in terms of CPU overhead ^1,2.

For servers where throughput is the result of processing (e.g. a web page or dataset), networking overhead is not a concern because it accounts for only a small percentage of total CPU usage.  But does the same hold true for applications where processing is the result of throughput, such as a firewall?

Virtualizing a network security application in the same hypervisor as other hosts creates two problems.  First, it violates a key assumption of server virtualization: servers will not be busy at the same time.  In fact, these applications only become busy when other hosts are busy creating the throughput in the first place.  Second, as shown earlier, hypervisors are not efficient at network processing so we can expect far more CPU cycles per gigabit than we would get on a native appliance.  The net result is that CPU spikes are magnified rather than smoothed meaning that far more hardware will be required than if the security application had not been virtualized.  So much for values #1 and #2.

Additionally, putting security applications on each and every hypervisor will require more effort from security teams as there will be more gateways to manage, policies to keep track of, and software installations to maintain.  In other words, value #3 didn’t apply to security in the first place.

At the end of the day, managers who are considering virtualizing network security appliances onto platforms such as VMWare or Hyper-V should seriously consider the negative consequences of doing so.  Running these applications alongside other servers is unlikely to yield any value and might very well nullify the benefits of virtualizing the servers in the first place.

1. http://download.microsoft.com/download/5/E/6/5E66B27B-988B-4F50-AF3A-C2FF1E62180F/ENT-T589_WH08.pptx
2. http://www.vmware.com/pdf/vsp_4_vmxnet3_perf.pdf

The new iPad should prove to be the perfect showcase for 4G speeds. So if the new iPad is such a hot commodity and so spectrum-efficient, will it help relieve the capacity crunch created by the exploding number of mobile devices?  Not really!

Supporting LTE on the new iPad will help move a portion of the traffic off traditional 3G networks onto LTE networks. And it certainly reinforces Apple as a driving force in the industry as highlighted by Morgan Keegan analyst Tavis McCourt, “With about 11 per cent of industry shipment volumes of smartphones and tablets, Apple generates about 47 per cent of the industry’s revenues, and over 80 per cent of its operating profits.”  However, as noted by Michael Gartenberg, an analyst with Gartner, “iPad consumers aren’t buying the latest-generation iPad just because the carrier version now has LTE. If you’re getting the new iPad, you’re buying it because of the retina display and the faster processor,” he said. “The 4G connectivity is just icing on the cake. That’s especially true given that the majority of tablet users access data via a Wi-Fi connection, rather than via a carrier data plan.”  The iPad’s LTE support will be important in moving the entire LTE ecosystem forward, and has already become a lightning rod for the differing 4G definitions and frequency bands used for LTE globally. Hopefully longer term this LTE ecosystem will achieve its hidden yet very real value of delivering a bit of data far more cheaply than previous-generation technologies.

In my last blog post on the survey findings, I shared how network security is one of the top three technology areas that organizations are looking to virtualize as part of their migration to the NGDC. The next logical question is to find out where they are today in relation to meeting that technology goal. Table 1, shows that out of the top three areas of focus, Network Security is furthest away from reaching the goal.

On average respondents feel they are only about 59% complete in reaching their network security virtualization goals, as shown in Table 2.

When asked where they predict they will be in the next 12-18 months, respondents on average think they will be 58% complete, as shown in Table 3. Now we know they didn’t go back and the loss of 1% can be attributed to standard deviation.  In reality, respondents are predicting zero change in being closer to realizing their network security goals over the next 12-18 months, as Table 4 shows.

This is alarming! If we look back at history, the traditional data center security infrastructure evolved “one problem at a time.” With each new threat, IT organizations added a new point solution to their network infrastructure. Over time, the “appliance sprawl” phenomenon left organizations with incredibly complex, rigid and costly security infrastructures – forcing IT staff to spend time managing this abundance of products, rather than focusing on security and business enablement.

The fluid motion of virtualized server environments within the NGDC, dictates that IT organizations move away from reactive and static approaches of the past. The nature of the virtualized environment has the potential to open the organization to threats and risk due to the ease of moving applications and data. Unfortunately, the survey results reveal a troubling lack of progress in the NGDC with respect to network security. All the good intentions in the world won’t help if network security continues to fall behind other areas such as servers and storage.

According to our survey, budget restraints and lack of network security expertise are cited as the top reasons why there is a slowdown in the move toward the Next Generation Data Center architecture.

If IT organizations want to realize the operational and cost- and energy-efficiencies of the NGDC, then it’s important that we don’t repeat the mistakes of the past when it comes to network security –reapplying the one appliance, one a security application approach in the NGDC, leading IT organizations to continue addressing security in a reactive manner. While it’s clear that investments should be made to improve the overall network security expertise level of IT professionals. It’s also clear there needs to be greater priority place on network security — because the proper virtualized security infrastructure will enable other areas of the NGDC to realize their full potential.

However, we would like to hear form you. Do you agree or disagree? What do you see as the leading reason for slowing down progress to reaching virtualized network security goals?

So what does a cloud strategy mean for the technologies that are a part of it?  While there are many different definitions for the cloud, they generally have at least three criteria in common:

1. A cloud provides a user experience that is abstracted from any supporting technologies
2. Has the ability to adapt and scale quickly and easily
3. Is always available with virtually no service interruptions

Networking and IT security professionals are directly involved with #2 and #3 above.  They need to ensure that the networking and security infrastructure can scale on a moment’s notice and at the same time take a bullet without so much as a hiccup.  At the same time, IT security professionals are also concerned about not being a roadblock to revenue, which is generally driven by rule #1.

In December, Crossbeam and Spirent released a ground breaking methodology for testing mobile clouds based on the above criteria.  We could have easily rigged the test design so that our performance scores were much higher, but knowing that no customer networks would look like our test lab, what good would the results be for our customers?  In the end, we did reach an impressive 108+ Gbps, but we did it in the context of realistic packet sizes, connections per second, concurrent connections, applications, user behavior, and network architecture in a mobile cloud environment.

Following the release of our results from the above tests other vendors began to make performance claims far above what we reported.  Indeed, one vendor even claimed to have the world’s fastest firewall.  But do these technologies actually meet the requirements outlined above?

The short answer is that recent claims to half-terabit firewalls are nothing but fluff, and not the kind you find in clouds.  In every case I have seen these numbers are a result of summation; some marketing guy takes the throughput numbers from several independent components and adds them together.  For example, one vendor recently laid claim to a 500+ Gbps firewall.  What the company neglects to tell readers is that the only way a customer can reach these sorts of speeds is if particularly static traffic enters and exits specific ports on pre-defined modules in the chassis.  In other words, if you architect your network so that all the customers, data, and throughputs align just so, you can reach a combined 500Gbps across what is really several firewalls sharing sheet metal and power.  A strange looking cloud, indeed.

In their move towards a cloud strategy, organizations need bullet proof IT security that will adapt, scale, and enable their businesses.  They need to be able to add capacity, services, and availability to existing networks, not something dreamed up in a test lab.

Analyst and blogger John Oltsik of Enterprise Strategy Group sums up the market movement quite well in his recent blog, “F5 Shakes Up the Firewall Market,” which talks about not only F5’s entry into the high-end firewall market, but also activity from Check Point, Sourcefire and Cisco as well.

Why is one of the most mature segments of the security market getting this sudden infusion of activity?

It’s clear the security landscape is increasingly difficult to navigate. The volume and sophistication of threats facing enterprises today is unprecedented and IT professionals are taking a fresh look at the firewall market as they look for ways to improve their security posture. The demand for answers to growing security problems has drawn the attention of companies that were previously less involved, such as Dell.

It’s no surprise that Dell is getting into the game, because as firewalls become more and more intrusive (deep packet inspection), they impose a larger tax on network performance. This makes hardware a critical consideration when deploying a next-gen firewall — which is why you also see software-based security companies coming out with their own hardware appliances to support their firewall solutions.

This introduces a few thoughts for consideration. The big performance toll that next-gen firewalls exact on the network begs the question of whether customers are actually deploying these solutions properly. A survey we conducted over the summer exploring the “performance vs. security tradeoff” showed that 81 percent of respondents admit to shutting off functionality in their security products because they were slowing down their network. The survey also found that most respondents are not using the full capabilities of their next-gen firewalls and are, in fact, only using the minimum features. IT organizations need to take a close look at their real-world network performance needs, and what these next-gen firewall solutions can offer in reality. The key is to test these products under real-world traffic conditions.

Secondly, as firewalls become more sophisticated and the sheer volume of data they inspect continues to exponentially grow, the hardware they run on can quickly become insufficient to meet the processing and performance requirements.

Companies who have traditionally used off-the-shelf appliances and servers like Dell and Check Point will need to be careful. Hardware for security must be treated differently, with a keen eye on making sure we have enough horsepower over the long haul, with the flexibility to enable more features as the risk profile changes.

My hope is that this new resurgence in firewall technology, together with recent acquisitions, will place additional focus on providing a much needed boost in security innovation – not only in the software but also the hardware.

Virtualizing All Aspect of the Data Center

Based on the survey findings, it is no surprise that application servers, storage, switches, routers and network security are going to be virtualized, each with different degrees of virtualization. It is also not surprising that application servers are expected to have the highest percentage of virtualization, with storage as the second highest. What is interesting is that network security came in third over switches and routers. This indicates that respondents want to leverage virtualization within the supporting security infrastructure, basically extending the private cloud. Table 1 shows how each technical area ranked.

Table 1:

Still Some Work to Be Done

When asked how they view their current data center in regards to the level of virtualization, it is apparent that all areas have some work to do. But out of the top three areas that are leveraging virtualization, network security has the longest way to go, as seen in Table 2. Also, respondents deem network security as the biggest obstacle to meeting their overall Next Generation Data Center vision. The responses are shown in Table 3.

Table 2:

Table 3:

To read more about the survey results and key findings, please read the Crossbeam research note titled ”An Examination of Virtualization within the Next Generation Data Center”

Crossbeam Customers Moving Ahead

Even though virtualizing network security is seen as an obstacle, when we compared respondents who have implemented the Crossbeam solution to those that have, not we found those with X-Series platforms in place feel that they are closer to reaching their Next Generation Data Center goals by over 38% as seen in Table 4.

Table 4:

For Crossbeam, this is was an important finding, We wanted to make sure that the benefits of the X-Series platform in the NGDC, as we see them, are actually delivering the results we expect within our customer base. This data point validates Crossbeam’s approach, but in looking at the survey findings overall, it’s clear that there is still a lot to do to help organizations advance the state of network security if they want to fully realize the benefits of the NGDC.

We would like to hear from you.

What role do you see virtualized network security playing in your Next Generation Data Center?

Defined realistic test and methodology
It was with that context that we wanted to: 1) realistically measure the Quality of Experience (fast page loads, Service Levels, speed of access, and all the metrics previously discussed) and 2) measure the ability to perform consistently and reliably with realistic firewall traffic at high volumes of data traffic on a Gi or SGi interface out to the Internet. That is why Crossbeam recently worked with Heavy Reading, EANTC, and Spirent to define a test that would emulate real mobile data traffic as a series of transactions that accurately reflected user behavior.  For instance, depending on the actions taken by each subscriber, a series of connections and transactions would by generated by the Spirent Avalanche system.  The relationship of Simulated Users in Avalanche to TCP Connections to Layer 7 Transactions varied during the test, as it would in a production network. Each of these subscribers generated mobile data traffic as the test ramped according to the loading curve defined in the Spirent Avalanche, and continued to increase for a sustained period before ramping down. The chart to the left summarizes the actions of the simulated users.

So how did the Crossbeam platform perform?
The Avalanche system measured subscriber Quality of Experience, bandwidth, TCP connection count and rate, transaction count and rate, errors, HTTP status codes, and more, over time.  In all over 700 metrics were collected by the system every four seconds. Despite various combinations/challenges, the Crossbeam X80-S consistently performed the following:

• 106-108 Gbps of sustained throughput during the testing plateau even when firewall, IPS, and NAT were enabled at the same time, while:
• Simultaneously maintaining 240,000-250,000 concurrent open connections per second
• Performing 675,000 transactions per second
• Impacting the Web browser page render time of 10 ms (milliseconds) at 106 Gbps of throughput.
• Check out Crossbeam’s press release for details of the results

How will Crossbeam perform in actual Mobile Operator networks?
Since the results were based on a comprehensive set of traffic traversing a firewall at the Gi/SGi interface, with no single metric optimized or “cherry picked” from multiple tests.  Thus, the results are indicative of the results you would obtain with this traffic profile.  Given our experience during this testing and more importantly in actual deployments, the following factors might impact overall performance:

• Higher throughput throughput may require additional X80-S platforms
  (which might be desired to increase resilience from 5 9’s to 7 9’s)
• Higher connections per second may reduce throughput
• Lower user Quality of Experience metrics may enable higher throughput
• A changing traffic mix, such as an increased proportion of large packets, e.g. an increasing proportion of video may increase throughput, whereas other shifts may stress the firewall or impact user experience more
• Enabling extensive IPS rules may reduce throughput, despite the minimum impact in this test

Thus, it is essential to evaluate your specific environment, and assess not just performance, but also user experience, along with predictability of that user experience to retain subscribers.

Check out the whitepaper from Heavy Reading that examines the EANTC test results in the context of current mobile operator challenges or review the webinar or video for more insights.

March 27, 2012 – The Lure of the Next-Gen Firewall Market

February 3, 2012 – The Lost Decade of Networking

November 21, 2011 – Good Things Come to Those Who Wait (…but it’s way better to get it fast)

October 12, 2011 – Crossbeam Introduces a 1.28TB/s Platform

July 25, 2011 – Are We Solving the Appliance Performance Problem?

July 19, 2011 – Has Marketing Gone Too Far?

April 24, 2012 – Consolidation, Scalability, Adaptability and Automation – Real Benefits or Just Words?

April 9, 2012- Are We Repeating Our Mistakes?

March 26, 2012 – Survey Results: Crossbeam Customers Closer to their Security Vision in the Next Generation Data Center

November 29, 2011 – Crossbeam Management Solution: Inventory Auditing and Reporting

November 8, 2011 – By The Numbers

September 15, 2011 – Private Cloud Formation is an Evolution

May 20, 2011 – Can Security be a Differentiator for Cloud Computing Providers?

May 4, 2011 – Learning from the mistakes of others

April 21, 2011 – The Private Cloud Journey

January 27, 2011 – When is the right time to move to the cloud?

January 13, 2011 – Cloud Computing