Archive

October 26, 2011 at 6:00 PM

Moving large amounts of data securely can be a complicated and expensive task. We had a customer that was attempting to move fourteen terabytes of data from Evocative to a secondary datacenter for redundancy purposes. The data was stored on a large SAN cluster and the intent was to replicate it to an identical configuration in the secondary datacenter over a VPN tunnel. But they were running into some serious trouble getting their name-brand firewalls to encrypt and transmit the data at a speed that would allow them to get the replication done in time to meet the project deadline—it would be fine for ongoing asynchronous replication, but the base image would take weeks. They were also working against a deadline. The results of their efforts on their own hardware were so bad they were contemplating leasing a point-to-point DS3 just to get one replication job done. Taking that route they would have to wait six weeks for the carrier to install the DS3, pay for 12 months of service on it, and still not meet their deadline.

They commented about it to us in our break room one day, and we started to collaborate on alternatives. Knowing they were having trouble with their current firewalls, even after spending hours working with the vendor support, we proposed that they put our managed firewall appliance to the test. In the past we have often found that some customers expect their security appliances to do too much. There is value in a Swiss Army-like firewall appliance that can run many services, but often-times people forget that the diversity of concurrent services comes at the cost of performance to each. A device can be great for deep packet inspection, and it can also great for use as a VPN tunnel end point, but expecting it to do both with good performance is, in some cases, unrealistic. On the flip side, buying a standalone proprietary solution for every task and service you want to run can get very pricy. This is where an open source solution can be very useful. Our managed firewall appliance consists of a 1Ghz Intel processor, 1 gigabyte of RAM and an open source firewall distribution called pfSense, which is based on FreeBSD. In order to make it easy for the customer to get some useful tests running, we gave them one of our firewalls to put in their secondary datacenter and set up another one here. Once the firewalls were set up and a testing subnet was provisioned, we began testing by transferring test files back and forth from single servers in each datacenter. The non-encrypted tests resulted in an average of about 85Mb/s. Not bad, we thought, it’s designed to do near line speed. The limiting factor in this test was the 100Mb/s interfaces on the firewalls. Next we tested over an IPsec tunnel. In this test the transfer was markedly slower, which was expected as our stock appliance configuration is not designed for high performance VPN tunnels, but, even its performance results were still more than a 100% improvement over their current security appliance’s VPN tunnel. It became obvious at this point that there was nothing wrong with their current devices except that were just not powerful enough to run the crypto on the VPN tunnel while also acting as a firewall. By using our firewalls as standalone VPN end points they were able to improve the situation dramatically.

While it was clear that our embedded 1 GHz appliance wasn’t powerful enough to get the speeds they were after, it was obvious that we were moving in the right direction and it seemed likely we could get there easily. At this point we knew we needed more CPU power for the encryption, and gigabit Ethernet interfaces. One of the great things about pfSense is that it will run on just about any PC hardware, whether it be a 1Ghz embedded processor or a dual quad core Dell PowerEdge server. As it turned out the customer happened to have a couple of late model commodity servers with quad core CPUs on hand that were not currently deployed. In less than a day, we had switched out our basic firewall appliances and were testing pfSense on their beefier spare hardware.

The results were staggering. With the quad core servers and pfSense, they were able to achieve an average of 400Mb/s second of encrypted traffic for their replication job to their secondary datacenter. The job that was going to be impossible for all practical purposes ended up taking just a few days with spare hardware and the open source pfSense package. The total cost of hardware and software for the VPN solution was zero, and all our advice and help with testing was free as well. With this solution they were able to meet their deadline, without having to invest in upgrades of new, expensive VPN gear or signing a year-long contract on a private DS3.

We love to solve customer problems, and sometimes the best solutions are also the simplest. All you need to know is where to look, and maybe, to think a little bit outside the box. We take pride in helping customers find solutions for their problems and challenges, because we live for technical challenges, and we love to make customers happy. We always say that when you collocate with Evocative, you’ll get more than just an access badge and set of keys to a cabinet, you’ll also get solutions. This is an example of how we deliver on that promise.