In today’s current environment it’s not unusual to see log files filled with thousands of entries for failed logins.  Botnets, compromised servers, and even foreign governments are directing their energies toward harvesting valid username/passwords for mail servers, SSH access, and web sites with massive dictionary and brute force attacks.  These attacks can come from several different sources at once and it’s not unheard of to see multiple machines co-ordinating a dictionary attack against a target machine.

To provide the reader with an idea of the scale, we have seen server log files for failed SSH logins grow to 27mb in size and accounted for more 40,000 login failures in a single week.  That was for a small mom and pop web site that had no eCommerce, no forum, or any other obvious attractive targets on it.  Clients with larger, more prominent services that have attracted a botnet’s full attention can see their log files grow into the hundreds of mb in no time. Imagine the number of attacks being directed against banking, social networking, and other high profile entities on the Internet.

There are several strategies for defeating this type of attack, both active and passive.  The most common of the passive counter measures is to employ very strong passwords, or move the attacked service to a different port.  These methods won’t work for a lot of businesses for several reasons.  Moving a web or email service to a non standard port increases support costs and often breaks software.  The general public notoriously picks weak passwords, and even when warned that their passwords are weak, use them anyway. (How to create a secure password)

This common problems has led to a couple of active solutions that work by monitoring log files and then executing commands to block a host based on behavior extracted from logs.  The most prominent is Fail2ban, an open source package written in Python, that can utilize several different methods to block the offending host.  The most common methods for blocking hosts in the Linux/BSD world is to use iptables or ipfw rules.

The Issues:

Fail2ban works very well for the individual server, but most large internet service deployments are comprised of several servers behind a firewall.  The problem we were faced with was not just the large number of physical machines, but the fact that each host had a number of virtual hosts that needed protection as well.   We wanted to block an attacking machine from all protected servers once it has violated the policy on any one of them.

If we fell back on just installing Fail2ban on each server, then a offending host is only blocked from one server at a time while still having access to the others.  In a large virtual environment where one is trying to keep the VM’s as free of extraneous software as possible, having iptables installed on each virtual host chews into memory requirements.  Managing the Fail2ban infrastructure across all machines becomes more complex and more costly as the number of machines increases.

The Solution:

In this case we have a Linux based firewall between the Internet and the servers.  Each machine and VM behind the firewall runs Fail2ban, but instead of creating a local rule, each host sends the IP of the bad host to the firewall.  This firewall will be used to block hosts for the entire network.  We accomplish this by using Fail2ban’s client program and some custom configuration on the protected hosts and firewall.  Below is an outline of how to centralize the blocking of offending host’s IP address using a Linux firewall, iptables, and Fail2ban.

Setting up the firewall:

Install Fail2ban on the firewall (For RHEL and clones, yum install fail2ban, for Debian apt-get install fail2ban).  Edit the /etc/fail2ban/jail.conf.  Adjust ignoreip to include IPs that should not be banned for any reason ever, this usually means management and monitoring networks.  Add a new jail as follows;

[default-iptables]

enabled  = true

filter   = default

action   = iptables[name=default, port=ssh, protocol=all]

sendmail-whois[name=default, dest=someone@geeforce.net, sender=fail2ban@fw.clientdomain.com]

logpath  = /var/log/fail2ban

maxretry = 1

In our case no other jails are relevant on the firewall, so they have all been set to “enabled = false”.  Now we edit the defaults action-iptables.conf file found in /etc/fail2ban/action.d

[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I FORWARD -p <protocol> -j fail2ban-<name>
actionstop = iptables -D FORWARD -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -n -L FORWARD | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]
name = default
port = default
protocol = all

Finally we set up a chroot jail for a user on the firewall (Fail2ban) that has sudo permissions to run 2 commands /usr/bin/fail2ban-client and /bin/touch /var/log/fail2ban.  Be sure to touch /var/log/fail2ban and ensure that it is owned by the Fail2ban user.  This is necessary because the Fail2ban client doesn’t work the way you might think, and the user has to be able to touch that file to update the date/timestamp.  Create a ssh key pair to allow logins from remote hosts.

On the hosts, install Fail2ban and edit the /etc/fail2ban/jail.conf file.  Add the following jail;

[ssh-rban]
enabled  = true
filter   = sshd
action   = rban[name=SSH, fwip=IP.OF.FW.HERE]
logpath  = /var/log/secure
maxretry = 2

Create the file /etc/fail2ban/action.d/action-rban.conf that looks like the following

[Definition]
actionstart =
actionstop =
actioncheck = touch /var/log/fail2ban
actionban = /usr/bin/ssh -v -l fail2ban -tt <fwip> ‘sudo /usr/bin/fail2ban-client set default-iptables banip <ip>’ &&
/usr/bin/ssh -v -l fail2ban -tt <fwip> ‘/bin/touch /var/log/fail2ban’;
actionunban =

Test ssh connectivity by logging in to with fail2ban user from your host as root (fail2ban usually runs as root). Once you’ve succeeded in logging in, start Fail2ban on both machines and test.  This example only checks SSH logs for failed logins.  You can modify this setup as a template for any of the checks available for Fail2ban using the same action. This includes denial of service attacks, pop3 login failures, web login failures, and more.

Security Considerations

The methodology employed here took into account several different security and management considerations. One of the more common variations of this theme is to allow the remote Fail2ban server to add an iptables rule on the firewall directly. The method was rejected outright because providing the ability for a host to directly manipulate the firewall rules is extremely problematic from a security standpoint.  In the arrangement outlined here, a protected host could only block other hosts using the Fail2ban client.  Even the ability to unban clients is purposely disallowed.  The firewall itself makes the decisions on when to unban an IP.

An attacker that has gained entry to a protected host cannot override the centralize white list, nor does the firewall user allow an attacker to directly manipulate iptables.  The Fail2ban user on the firewall is specifically setup to be highly unprivileged, and limited, especially with a chroot jail in place.  The firewall essentially doesn’t trust the servers it protects.

This arrangement centralizes the management of all whitelisted IPs.  That makes changes very easy to roll out.  One caveat on the arrangement outline here; this has been specifically setup to block the offending IP from reaching ANY port on ANY machine for the duration of the ban time (defined in /etc/fail2ban/jail.conf).  That was a design choice, but the Fail2ban setup lends itself to banning specific service from offending hosts as opposed to banning all services. A denial of service can result from innocent people tripping the Fail2ban actions.  In this situation, that risk was considered minimal in regards to the amount of protection provided.

Conclusions;

Using Fail2ban to centralize the blocking of hosts has been a success everywhere it’s been deployed.  In one cluster alone, the typical /var/log/secure files went from being 10-20Mb or more every week, to a mere 200K.  Tens of thousands of password fails have been replaced by as little as 15.  By turning on different filters, one is also able to catch dictionary and brute force attacks against SMTP servers, WordPress sites, and webmail installations and protect them all with the same firewall.  This solution isn’t limited to the Linux or even Unix world.  With a centralized log server one can use Fail2ban to protect mixed environments, including Windows and Mac servers and centralize administration even more.   Fail2ban and an active centralized response to attacks just scratches the surface of a fully fleshed out security infrastructure.

IPCop is a Linux NAT firewall distribution that is built on Linux from scratch. It has its own easy to use web based interface and most importantly a large and well developed set of add on tools.  The current version is 1.4.21 and a new version should be out this year with even more features.

IPCop was designed to be used on “older hardware” or very low powered hardware. There are people running IPCop on original Pentium class machines without issue.  Since you will probably want to take advantage of some of IPCop’s add ons, I highly suggest a more modern machine.  In today’s environment one can build a brand new Atom based system, or get a whitebox, or even an off lease deal from TigerDirect or NewEgg and get a perfect machine to be your office’s router for $300 USD or less. The old Dell that used to be at the front desk that needs a new hard drive, but is under your desk might be a good candidate too.

A smart setup for a small office involves the base IPCop setup plus the addition of the url-filter and update accelerator.    The two addons provide great functionality for businesses.  Objectionable or inappropriate content is blocked from all work stations via url-filter, while anti-virus and windows updates will be cached locally with the update accelerator.  Together with transparent web proxying businesses with limited bandwidth get a bit of a network performance boost with this setup.  It’s especially effective when large windows updates have been pushed out.  [Take the time to purposely setup one PC to upgrade before the others in the office.  This "preloads" the cache so that no other computer has to go to the internet for OS or AV updates]

There are lots of other addons to choose from and IPCop has some great features built in, including the ability to set up site to site secure VPNs. IPCop provides basic qos settings, traffic graphs, and connection tracking.  Setup can be accomplished painlessly in less than 30 minutes (10 minutes if you’ve done some planning), has no “default passwords”, and I’ve personally had an IPCop machine with more than a year of uptime (ups mandatory) on  a heavily loaded fiber internet connection.

IPCop plus an old PC or a cheap PC is an excellent, secure, cost effective way to protect a small network.  The capabilities are easily extensible and it’s powerful enough to give some big name commercial security products a run for their money.  IPCop is highly recommended.

Which MySQL Cluster?

Often when you see web based application white boarded the entire DB backend is referred as the “SQL cluster”.    When you’re dealing with MySQL that could mean many things.  There is a high-availability, high-redundancy version of MySQL called “MySQL Cluster”.  The non cluster versions of MySQL can replicate data to multiple SQL servers via a master/slave relationship and multiple servers set up in this fashion are often called a MySQL cluster.  Do not confuse the two! The official “MySQL Cluster” only supports one type of storage engine – NDBCLUSTER. So if you develop your application to use MyISAM or InnoDB then you have to perform some major rewriting or some  other surgery for your application and data or you’re going to be out of luck.  For many environments that makes the official “MySQL Cluster” a show stopper.  If you’re not using data from a current  MySQL Cluster, or you haven’t been coding/creating with the NDBCLUSTER engine and it’s limitations in mind from the get-go, then using the official MySQL Cluster is a no-go.  This product is a specialized version of MySQL with it’s own quirks and it’s use must fit the problem you are trying to solve.   For this exercise in scaling we’ll use the regular MySQL and not the clustered versions because the databases and application code were all designed around InnoDB.

Our MySQL Scaling Goals

Our scaling goals for this project are simple.   In our configuration the application has been well thought out and it expects a read only database for read only queries and a write database for everything else, we want to take advantage of that.  We also know that read traffic is executed seven to ten times more than write traffic from testing.  The first goal is high availability.  We don’t want to change any web server config files or have our application wait for MySQL to timeout before switching to another SQL server.  Switching from a slow or down server has to happen automatically.  The second goal is higher performance. In our example we have 4 servers available for our backend, plus a monitoring server (build monitoring into your application architecture upfront and save yourself the downtime later).  The final goal is the ability to grow to meet demand.

A quick note about our goals: If you divorce your application from the database architecture you won’t be able to have an application that scales or performs very well.  In this article we’re looking at a pure backend solution, but what that architecture looks like was dictated by the application itself!  In the real world high performance applications should be able to take advantage of a caching layer provided by something like memcache and code needs to be designed from the get go to look at multiple SQL clusters or to separate read queries from writes etc. In many cases memcache alone could replace or mitigate the need for more SQL servers.  Relying on pure MySQL replication to scale only gets you so far and there is a point of diminishing returns.   Kellan Elliot-McCrea from flickr brings those points home in his article “using and abusing mysql“.

Getting the right tools

The very first thing we need to decide up front is, which compiled version of MySQL do we want to use?  Do we want to compile them ourselves? Do we use our vendors binaries or the pre-compiled binaries from MySQL or do we want to look at one of the MySQL project forks?  Here’s my advice, for most people in small, low transaction environments use what your vendor provides or the official MySQL built binaries. The releases are well supported and updates are rolled out on a regular basis. When you start needing other capabilities or need to squeeze more performance out of your SQL server, then it’s time to look at the high performance forks.  In our case we’ve been very happy with the percona MySQL builds, especially the ability to use their XtraBackup program.  This makes setting up MySQL slave servers easy and much faster, especially with larger data sets and InnoDB tables. (In actual testing doing a raw mysqldump and setting up a slave server with a 47G data base took almost an hour, using XtraBackup the same function took less than 15 minutes on a rather vanilla server).

MySQL Servers in Waterfall Master/Slave setup

Get, use, and love MMM (Multi Master replication Manager for MySQL).  It is a collection of scripts that performs automated fail over of your MySQL cluster in much the same way as UltraMonkey does for other services.  The advantage of MMM is that it is specifically designed for MySQL.  It allows you to define servers by their role (writer or reader).  With MMM only one node is writeable at a time, this prevents data getting out of sync in large waterfall environments. Reader roles can be balanced across several servers.  More importantly MMM will detect if a server’s replication is running behind and remove it from the being queried, until the servers replication catches up.  In the real world this is a life saver.

Get the maatkit tool set and install it on all your MySQL servers.  This toolkit should be de rigeur for any MySQL installation that has replication.  It is a collection of scripts that allows your DBA to more easily manage MySQL.  It has hooks built in for memcache and postgres as well. Like MMM it is a project that grew out of google code.

The Architecture

We set up the first two MySQL servers in master/master replication mode.  Here’s the twist, we will probably want to add more master SQL servers to the cluster later on, so plan for it now.  You can add several MySQL servers fully synced in a water fall style configuration. When you create your my.cnf file configure the auto_increment_increment to a value of two times the expected number of master servers.  So if you expect to only ever have five masters in replication, ensure that auto_increment_increment=10.  This allows you to add more servers to the cluster with a minimum of downtime.  Never set auto_increment_offset to zero and no two servers should ever have the same offset (common mistakes).

Our decision here was to have two servers in master/master replication with each master server having it’s own slave.  With a read load seven times the write load we need to spread those selects across the cluster.   This is where MMM really shines.  The read load is spread out among all of the machines while the write load is quarantined to the master servers alone.  The cluster can handle a huge read load and is orders of magnitude faster under load than a single server, satisfying the performance goal. If a server goes down or starts to fall behind in replication, it’s removed from the cluster so it has a chance to catch up.  This happens automatically and without intervention, satisfying the high availability part of our goals.

Final MySQL Architecture

We satisfy our scalability goal by planning the architecture to grow upfront.  If we see a spike in read traffic we can add more MySQL slaves on the fly.  If we see the need to spread out write traffic, we can add more master servers.  Proper monitoring and logging provide those statistics.

Since we’ve planned for more masters up front we don’t have to restart each server.  The ability to add a master sever on the fly without taking down the entire cluster is what makes MMM and the Percona Xtrabackup tool so critical.  When we run the Xtrabackup tool it provides us the logfile name and position as part of the output!  That means we have all the information required to setup and start a slave, performed in one action.  We use the MMM scripts to take servers in and out of service and also monitor their status.

Caveats

The architecture offered here was for a specific problem where we had some good metrics.  If the read vs write traffic was more even we would have set up the servers in a waterfall configuration.   All of the servers were using directly attached storage utilizing SAS drives in RAID 10.  The databases were small enough so directly attached storage provided the best redundancy and performance for the cost.  Once you start talking BIG databases then one needs to look at SAN architectures and ensure those considerations are baked into any design.

*While backended isn’t really a word, it perfectly describes what we’re talking about.  Please feel free to use backended in your next database or application discussion.

Gliffy is a cloud based alternative to Visio. The web based program is easy to use, comes with good templates, and best of all the free version is good enough to get you started.  It’s user friendly and the API is extensible to other web apps.  There are plugins for wordpress, jira, and confluence available now using the Gliffy API. Even though Gliffy considers their application beta software, it’s better than a lot of companies release products.

I’ve used Gliffy drawings at GeeForce.net, for clients, and to document my own networks.  It’s not a total replacement for Visio but for a majority of the documentation that I do Gliffy fits the bill.  Visio offers more templates and when one is planning and laying out a rack environment it’s almost impossible to beat Visio, especially when the vendors provide Visio templates for their equipment. Other than that niche, Gliffy is replacing Visio for producing network documentation, flowcharts, and basic room layouts (floor plans and data center space planning).

Bottom line, Gliffy is a great program that is easy to use and exports documents in either png format or as a Visio file.  You can use it just as easily for a quick “back of napkin” drawing to throw into an email or for a full blown Enterprise wide planning document.  The only thing missing is vendor templates and that is minor, more of a nice to have, not a must have feature.  For five dollars a month you get the pro version and it’s worth every penny.

A lot of email problems simply go away if the system architecture has been well designed.  The architecture that we lay out here took into consideration ease of email management, high availability, storage growth, data retention, and retrieval.  It is based on open source software, but the ideas and architecture can be applied to proprietary solutions with some modifications.

The analysis of this email problem started by breaking out each action of a typical email transaction (both delivery, management, and retrieval) into very specific tasks and then based on our requirements decide where those tasks belong.  We try to push task intelligence to parts of this clustered design where they make the most sense and provide the most benefit.  The key here was to never create a single point of failure and architect the design so that each task can be scaled seperately from the other tasks.  That way adding another layer of spam protection doesn’t require a total redesign.

Our solution creates 4 zones;

1. Inbound Zone (SMTP servers facing the Internet)
2. Storage Zone (Mail delivery and SAN)
3. Client Zone (Webmail & IMAP servers for client access and outbound SMTP servers)
4. Business Intelligence Zone (Archival, Tiered Storage Decisions, Company Wide Searches)

Common Data Between Zones

There are some elements of your email infrastructure that are required to be understood across all zones such as valid usernames, while other information such as password, or mailbox location only needs to be known by some of the zones.  The user information can be stored in a SQL or LDAP server and the information is replicated to each zone.  The data stored in SQL or LDAP can be used for other applications not related to mail such as user authentication, instant messaging, and billing.  In some Enterprises this requires the user SQL/LDAP layer to be pulled out into it’s own environment in others it requires a hybrid LDAP/SQL solution.  In our sample architecture the system in question relied on MySQL and replication was used on each machine to provide a local SQL store.

Zone 1 : Inbound

Inbound mail servers are defined in a domain’s DNS and it’s simple to delegate multiple inbound servers.  In the classic single box solution, there is only one inbound server.  The single server has to handle all inbound connections, all filtering, the mail store, and client connections. When the single server is flooded with lots of traffic, that traffic eats up resources and  ruins the end users email experience.  In the properly architected solution the load of incoming traffic is spread out among multiple servers that can be geographically diverse.

The inbound servers are also the first line of defense against unwanted mail.  The ideal is to prevent all suspect mail from ever making it into the mail infrastructure.  Why waste the end user CPU cycles, or mail storage on spam or virus emails?  In this configuration the inbound servers protect the mail store from unnecessary email traffic. After processing the accepted mail the inbound servers hand the email off to the mail store over a private network and deliver messages via QMQP or SMTP, adding another layer of protection as those connections can be throttled by the mail delivery servers to protect the mail store allowing the zone1 servers to act as a buffer during extreme traffic conditions.

Zone 1 features:

• Inbound servers have their own mail queue so that they can store mail if Zone 2 goes offline for any reason
• Inbound servers make decisions on accepting connectivity via real time black lists (RBL)
• Inbound servers make decisions on accepting mail for users during the SMTP transaction (don’t accept mail that has to be bounced later)
• Inbound servers handle SPAM and Virus tagging before handing messages to Zone 2
• Virus & spam analysis can be offloaded to other servers if the load is too high on the inbound servers providing an easy solution for additional capacity by simply adding more machines (virtual or otherwise) to the zone.

Zone 2 Storage

The mail store consists of 2 parts, the delivery machines and the storage area network (SAN).  The delivery machines receive email from Zone 1 and store in on the SAN, following any user specific delivery rules.  Unlike other systems the mail sorting is done during delivery.  This reduces the number of times a message “moves” around on the file system, and requires less handling. Both front ends mounted the same SAN share using a distributed file system (gfs2).

In our system the delivery machines were also the master SQL servers in master/master replication and master/slave replication to the other zones.  All user updates, adds and deletes are managed via a web interface attached to the SQL servers in zone2.  All of the zone 1 machines were pointed to a single IP, and the two delivery machines run in high availability mode with load balancing.

Zone 2 features:

• Storage growth is handled by the SAN & choice of File system.  Simply add more storage and then grow the file system.
• Tiered Storage can be provided by multiple SANs.  A high performance SAN for recent email and a slower but larger SAN for archival purposes.
• Delivery rules are stored and executed during the first delivery.
• Delivery can be scaled by adding front ends to either a common distributed backend storage or multiple common backends.
• The SAN is fully mirrored.  Should the primary SAN fail the backup SAN comes online automatically.  File system mirroring is handled at the SAN level.
• Since each clients mail store location is kept in a SQL server the ability to migrate from one SAN to another can be done “online” with no downtime.

Distributed Architecture

Zone 3: Clients

Zone 3 is the end user zone.  This zone takes care of webmail, smtp relaying (outbound), and imap clients (outlook & smart phones).  In our configuration there are two machines that mount the same SAN and run 3 services IMAP, HTTPS, & SMTP.  The 2 servers run in loadbalancing/high availability mode.  In this case the traffic combined with webmail load was light enough to combine all of the client services onto single machine.  Each client service can be easily moved to their own server providing scalability.  This zone deals entirely with internal client requests.  If a client receives, checks, or sends an email, regardless of device (laptop, phone, etc) it goes through this zone.

Zone 4: Business Intelligence

This zone mounts the same SAN and handles things like auto archiving, indexing of emails for better IMAP performance and other functions the touch your email but whose primary function ISN’T email.  Email management tools live in this zone (Web based in this case). The advantage of having a dedicated business intelligence zone is that this provides for application specific functionality and connectivity without adding to the performance requirements of any one specific area of typical email transactions.

Examples of good use zone 4 include document management software that indexes company wide emails.  This types of indexing becomes invaluable when discovery orders are issued or an executive leaves under dubious circumstances.  Custom reporting on email usage and quotas organized across corporate divisions provide reporting that enables IT to make rational choices on where resources will be best spent.  This zone is also where programs designed to automate tired storage and auto archiving decisions need to go.

Having one place to go to write/execute that intelligence provides an enterprise the flexibility that they need when addressing email specific issues AND it does it in a way that minimally impacts email.  A perfect example of what happens when you build that intelligence into the wrong place would be an auto archive program that a certain hypothetical email admin might install for their enterprise.  The auto archiving is too aggressive in it’s endeavor to archive everything older than (x) days (the default setting), leading to a huge slow down in the enterprise’s email delivery. The helpdesk phones won’t stop ringing and one can expect the fainter of heart support staff to be reduced to quivering piles of jello in a cubicle.  In the enterprise clients get cranky when the email doesn’t work.  When things finally get caught up the legal staff shows up on the admin’s doorsteps with pitchforks and torches.  Not Good.

Some system architects or vendors want tiered storage or auto archiving to live on the primary mail store, or in storage.  The issue is that neither of those areas has the native intelligence to understand how users use, or are required to access to email better than the user.  It gets hard to tell your SAN which users email folders needs to be faster; For example the CEO that refuses to archive and calls when searches take more than 5 seconds or try to have your mail server define which email documents are connected to a legal case. Business intelligence isn’t an oxymoron until your SAN decides which email is archived for you.

Design your business intelligence where it belongs, and where you can react quickly without impacting the primary function of your email system, which is to deliver mail.  When you tie it all together you have a low maintenance highly scalable email solution that a Fortune 100 company would be proud of.  All it took was a little bit of up front thought to design the proper architecture.

Xiotech gets storage

I enjoyed the Xiotech presentation by Peter Selin whose presentation followed mine.  His emphasis on true Total Cost of Ownership (TCO) calculations and understanding how the applications use storage dovetailed very nicely with points I had made earlier.  Xiotech’s presentation went a step further and went into application tuning and how that affects storage performance.  A good part of the presentation was “SSD  facts or fiction”.  There was an enlightening graph on  SSD (Solid State Drives) sustained IOPS  vs Time.  This was nothing new for those of us with SSD server experience, but an eye opener for a lot of people in the room.

If you’re unfamiliar with Xiotech’s concept, then now might be the time to explain what they do.  Xiotech looks at storage like a “black box”.  It doesn’t matter what’s in the box – what matters is the capacity, throughput and reliability of the data storage.  Their solutions utilize Fiber Channel and provide the foundation for a high performance SAN (Storage Area Network).   One of the most unique aspects is that the end user no longer worries about individual drives and data redundancy. Data redundancy  is taken care of by “the box”.  To add more capacity, add another box.  This moves intelligence out of controllers and applications into storage where it belongs.  Just like intelligent networks, having the right intelligence in the right place makes a lot of sense.

I haven’t had a chance to test or use the products but their architecture deserves a very close look when high performance storage is called for.  The company is talking about Fiber Channel over Ethernet in the future and I hope that they also look at Ata Over Ethernet (AoE) as well.

Cisco goes after the datacenter

Cisco’s presentations always pique my interest.  This is a company that spends a lot of time figuring out how to produce a better mouse trap (or buying the company that has) and it shows.

Network and Storage Cisco’s approach is a continuation of the approach that it helped pioneer, network convergence.  Yesterday’s converging voice, video, and data via IP is passé; Cisco is now converging the SAN/LAN (Local Area Network) networks into a unified fabric.  With Fiber Channel over Ethernet the same network is used for SAN and LAN connectivity, simplifying cabling and switches.  With Cisco’s Fiber Channel/Ethernet modules for their Nexus class switches, Cisco is providing a bridge between the current SAN and LAN.  With 10GE (Gigabit Ethernet) networks already here and 40GE just around the corner, the writing is on the wall.  Eventually all LAN & SAN traffic will be carried on the same network.  Robert Metcalfe’s invention lives eternal.

Servers and Virtualization This part of Cisco’s offering is where we see radical innovation. Cisco doesn’t have a history of building servers so their approach is clean sheet  and unique from what I’ve seen from other vendors.  What Cisco did was look at large virtualized environments holistically not just focusing on server, storage, or network individually.  Cisco has tried to converge and unify many components of a large virtulized environment and build management into the entire environment from the get go.  They call their approach the Unified Computing System or UCS.

The UCS structure combines a unified (or should we say converged?) 10GE network fabric with unique super high memory blade servers that can support up to 384 GB DDR3.  The management of the entire structure is built in.  Cisco provides for a virtualized switch within each blade, each virtualized server can be centrally managed in it’s entirety.  Moving a virtual instance from one blade to another becomes simpler because the network moves with the instance and doesn’t require reprogramming the switch.  Cisco’s approach will change the entire management experience for large virtualized environments.

Both presentations have given me a great excuse to deep dive into the vendor’s technology and applications thereof.  Cisco is showing off their C-Series servers in Orlando on March 9th (register for that even t here) and there is some good reading material over a Xiotech.  Keeping up with new technology and it’s application is one of the things I enjoy most about my job.

That was until JoikuSpot.

JoikuSpot is available for your Nokia Symbian or Linux based smart phones that turns your device into a mini hotspot.  This application is a paradigm changer. There is even a free “light” version  that only allows you to only access http/https content with a forced landing page.  That’s fine for the occasion user but most users will want the full blown version.  Without wires or extra devices you’re able to tap into your phone’s connectivity (3G for me) and get online in record time.

Verizon has attempted to solve the same problem with their MiFi solution, but why do I need to purchase and carry around another device?  With my current service provider (AT&T) I was able to use my cell phone while being online at the same time. With the prices coming down on unlocked E63 and E71 devices and good reviews coming on on the N900, the combination of JoikuSpot and a Nokia phone will be a must have for the hard core road warriors in the know.  If Nokia was smart they would bundle the application with their phones.

JoikuSpot isn’t just handy – it’s the holy grail for staying connected on the go.

Feng has all the applications you’d expect in an online collaboration suite – email, notes, contacts, files, calendar, tasks, time tracker and more.  What makes Feng different is the way it goes about collaboration.  It’s like a groupware crossed with project management plugged into a web 2.0 world.  The product handles multiple work spaces with ease (great for consultants) and it also handles multiple companies all from the same interface.  We use the application here at GeeForce were it is affectionately known as “The Goo”.