Once upon a time, using open-source servers and applications for business was frowned upon in many circles. Today, you’d be hard pressed to find any sizeable infrastructure that doesn’t leverage open-source code in some form or another, be it a few MySQL databases, Apache on the Web servers, or a pile of Perl, PHP, Ruby, or Python applications holding things together.
But there’s one place in the modern enterprise infrastructure where open-source solutions have yet to make a sizeable dent, and that's in the very network that connects all of these pieces.
Of course servers and network appliances such as routers and firewalls are fundamentally different animals. Servers are large, disk-laden, high-powered computers with Ethernet interfaces, running full-blown operating systems and applications ranging from light Web servers to heavy duty databases. Routers and firewalls are slim little appliances that have no disk, run highly optimized and controlled operating systems, and in the case of routers, don’t require much administration beyond the initial configuration. In short, servers are from Mars, routers are from Venus.
But if we take a closer look at the functions of routing and firewalling, guess what? We find that not only do modern operating systems offer these features, they perform them as well or better than their dedicated cousins -- and when using open-source software, for far cheaper.
The general rule of thumb when shopping for routers is to determine the requirements, then call Cisco or Juniper and get a quote – end of story. But companies like Vyatta and several open-source projects are challenging that notion, offering full-fledged, open-source routing platforms that are built on Linux or FreeBSD and run on standard x86 hardware. The server becomes the router.
Not so new
Vyatta’s approach isn’t all that novel, really. Linux has had fast, kernel-level packet forwarding, routing, firewalling, and NAT capabilities for a long time. But these capabilities are controlled through several different user-space applications, such as iptables, resulting in far-flung configuration files and relatively complex syntax – a far cry from Cisco’s single-file configuration and relative ease of configuration. This is where solutions like Vyatta Community Edition 4 (VC4) come into play.
VC4 is essentially a stripped-down Debian Linux distribution coupled with a custom shell that puts an "IOS" into Linux. Logging in to a Vyatta router can closely resemble the console of a Cisco or Juniper router, with basic commands such as "show ip route" performing exactly the function you would expect. This shell is called the Fusion CLI, and offers control over specific routing functions as well as control over the Linux server itself. In this way, VC4 brings together open-source packages such as iptables and OpenS/WAN IPSEC to bring all these moving parts together into a centralized configuration much like a Cisco or Juniper router.
"We package it up into a single file that can then be backed up with rsync, scp, or anything," says Vyatta Vice President Dave Roberts. "But you can also control the Linux system too if you want. You can even run a MySQL database on your router. Nothing’s off limits."
The only features that might be off limits would be vendor-specific protocols, such as Cisco’s HSRP (Hot Standby Routing Protocol) and EIGRP (Enhanced Interior Gateway Routing Protocol). However, Vyatta and other open-source routers do support OSPF (Open Shortest Path First), RIP (Routing Information Protocol), and BGP (Border Gateway Protocol), as well as VRRP (Virtual Routing Redundancy Protocol). Interleaving these routers with industry-standard commercial routers is generally a non-issue, as long as the protocols in use are open, such as OSPF and BGP. In fact, with large BGP requirements, the cost savings can be quite significant given that it takes a sizeable (and expensive) Cisco or Juniper router to handle large BGP routing tables.
Raw versus refined speed
Another facet of open-source routing is performance. In most cases, the use of highly optimized packet forwarding code and custom ASICs will outperform generalized networking software. However, given enough horsepower, that’s not the case. You’re likely to get better performance from a server-class system running dual-core CPUs than a Cisco router, even though the underlying code on the server might not be as heavily optimized. When planning a network that will terminate hundreds or thousands of VPNs at a central office, this is a very big deal indeed – especially with a Vyatta router coming in at around one-third of the cost of a Cisco 7200-series router.
Jim Rigas is the president of Zito Media, a company currently evaluating Vyatta routers for use in a new large-scale network. Zito Media is building a carrier network to serve small communities in northern Pennsylvania, and the routers will be located in each town or city to handle all the routing tasks. "We’re very interested in the BGP capabilities," Rigas says, "since that’s an important part of the network we’re building."
The potential cost savings is the big draw, and here Rigas is taking the long view. "We are believers in getting into something that rides the cost curve of standard CPUs, and doesn’t lock us into proprietary hardware," he says. "Particularly in an area like this, where we’re dealing with a smaller number of customers, the cost/performance ratio is very attractive."
When I was discussing the concepts of open-source routers with a few network admins recently, the first thing they jumped on was non-Ethernet routing. It’s simple to implement any system as an Ethernet router, because Ethernet NICs are commonplace. But there are only a few places in any infrastructure where Ethernet routing is required. After all, Layer 3 switches perform far better than routers at that task, and one of the main tenets of routing is to move packets between disparate media types, such as between an Ethernet LAN and a T1 circuit.
So where does that leave open-source routing? Well handled, as it turns out. There are several manufacturers that make TDM (Time Division Multiplexing) PCI interface cards. One of the most popular is Sangoma, which offers single, dual, and quad-port T1/E1 interfaces as well as T3 interfaces. With Vyatta’s code running on commodity hardware, these interfaces appear to the OS and can be used as ordinary Ethernet interfaces. The single-port T1 interface costs around $700, so it's not bargain basement, but it offers a viable alternative for edge routing needs.
Another conversation point was political viability. It's easy to justify purchasing a Cisco network, but when you start coloring outside the lines, executives can get nervous. It's the same hurdle that open-source software has had to jump for years, though the widespread use of open-source projects has certainly lowered the bar. There may be no better answer to these issues than a side-by-side comparison of features and price. Many misgivings can be erased when the right numbers are presented.
VPN use is a case in point. Open-source routers can serve as extremely cheap VPN concentrators. Although they arguably do not offer the ease of configuration found in some commercial products, they do speak L2TP, IPSEC, and PPTP. Several open-source VPN clients including OpenVPN are available for Windows, Mac, and Linux to support the end-user side. Given the horsepower available on commodity servers, it’s possible to build and run a very high-performance VPN concentrator without the high cost. Terminating LAN-to-LAN VPNs on open-source routers is significantly simpler due to the fact that client software isn’t needed.
Who you gonna call
A case may be made against open-source routing by pointing out that when using non-commercial solutions, there is no support other than mailing lists and online forums. That is, there’s no support contracts, no hardware support – nothing. Even with commercial support via companies such as Vyatta, there still may be no hardware support if you’re using your own hardware for the routers. Looked at another way, though, you are escaping hardware-associated support costs. And by using commodity hardware, there’s no real need for four-hour or next-day hardware support, because replacement hardware is widely available, unlike proprietary hardware from even mainstream vendors such as Cisco and Juniper. If your router is a Dell PowerEdge, then all you need to completely rebuild the router is a regular computer of roughly the same horsepower, the configuration file, and the installation CD. The router might be more work to maintain, but it’s also much cheaper, and rebuilds and repairs can be done significantly faster than through traditional commercial support options.
Walling your garden
Although Linux- and FreeBSD-based routers generally include a kernel-level stateful firewall, these are not always the best option for straight firewalling. For dedicated firewalling, other open-source projects such as IPCop and SmoothWall can come in extremely handy. IPCop, for instance, mates a well designed and implemented Web UI and a plug-in architecture that offer everything from real-time throughput graphs to automated updates, VPN termination, full logging, DHCP and DNS servers, and complete control over access lists. The footprint of this customized Linux distribution is so small that you can install it on a Compact Flash card, and the hardware requirements to run even a high-throughput firewall are surprisingly modest. As an example, an IPCop firewall booting from a 256MB CF card and running on a Dell GX110 (667Mhz Pentium III with 128MB RAM) has been the main firewall for my lab for nearly five years. In all that time, it’s performed flawlessly – exactly what you would want from a firewall.
SmoothWall, available in both commercial and open-source versions, offers a similar feature set to IPCop. M0n0wall is another open-source firewalling and routing alternative, based on FreeBSD and the stellar Packet Filter (pf) firewall. M0n0wall is designed to be booted from flash on commodity hardware, and boasts a completely PHP-based initial configuration – no command-line required. pfSense, also based on FreeBSD, is focused on non-embedded applications.
Any of these projects are more than capable of performing firewalling duties for a network of any size, assuming they’re running on suitable hardware. The configuration and management might be a little less straightforward than some commercial products (though in some cases, they can actually be simpler and easier), and support is generally found through discussion groups and FAQs rather than a phone call to the vendor. But these days, even most vendors try to push support requests through FAQs and support forums anyway, so it might be considered a tossup.
Finally, one of the more esoteric aspects of open-source routing is that it can be run within a virtual machine. Yep, even your routers can run on a hypervisor. While the only interfaces you can present to a VM router are Ethernet, that’s all you need to virtualize your VPN concentrator or to perform basic firewalling duties within a wholly virtualized infrastructure. At remote sites, if the Internet circuit handoff is Ethernet (as many are), then a virtualized open-source router can handle all the routing duties as well as VPN and firewalling tasks, all while sharing the same hardware that runs local server VMs. Essentially, you have a true office-in-a-box. All you need are the users.
When all is said and done, there’s little argument against using open-source routing and firewalling tools in most any network, as long as your admins are comfortable with the technology. We know that open-source routing and firewalling solutions can meet or exceed the performance and stability of their commercial counterparts; the proof has been in the proverbial pudding for many years now. Maybe it’s time to hand over yet another part of the infrastructure to the open-source rebels. After all, in for a penny, or in for a pound. It's good to have that choice.