Weblog

Solaris for security ISVs and network appliances With the recent and enhancements in the Solaris networking stack Solaris has become a very interesting player for ISVs and appliance vendors in the security appliance space.

First of all the fact that Solaris is open source and lets ISVs and appliance vendors link their proprietary modules with the OpenSolaris source code without distributing the source code of these proprietary modules or having to worry about legal concerns is a big plus over other OSes

Secondly, the recent and ongoing enhancements really put Solaris into the driver seat:

Solaris has made a huge step forward in the network performance space:

With FireEngine and Nemo the Solaris networking performance has gone up by some 50%

The arrival of the packet filtering APIs that Darren Reed is work on will be improving the firewall performance on Solaris by about 20% (This is the number we are getting with ipfilter)

Project Surya which is about to integrate into Solaris will greatly improve the forwarding performance


There are a lot of new cool features in Solaris or coming out soon:

Ongoing virtualization of the stack through Stack Instances as well as CrossBow will provide a much better control over the networking stack

A prototype for Ethernet Bridging is already available through OpenSolaris. Pretty soon will be integrating a more advanced version based on the CrossBow virtual NIC concept

Quagga is providing very cool routing functionality

You can expect a lot more really cool stuff out of the Solaris networking group in the near future! Let me know if you are interested in participating! ( Aug 10 2006, 06:56:31 PM PDT ) Permalink

CrossBow prototype available NIC virtualization and network bandwidth control are becoming a reality: My team just finished a prototype of the CrossBow project which creates that capability. [Read More] ( May 31 2006, 11:32:54 PM PDT ) Permalink Comments [1]

New features for ipfilter After a few discussions within the development team, with our marketing folks and with several customers I came to the conclusion that these are the features that we have to add to ipfilter:

• Enabling ipfilter within Solaris Containers: This will allow the user of a Solaris Container to set their own fire wall rules just like if they were running their own machine. That way the user has full control over their fire wall settings.
  
• Stealth firewall: This would allow filtering bridging traffic. Bridging is a feature that we are currently implementing.
  
• Comprehensive set of APIs into ipfilter: We have several customer requests for this right already. The right thing to do here is to come up with a comprehensive set rather than doing a number of one-offs. Lots of customers and ISVs would greatly benefit from this.
• ipf performance: We need to have a look at this one to see whether we can do further improvements in this department.
• RPC proxy support
• Improve usability, e.g. sample rule files

Aside from that we really need to write a comprehensive white paper. All that's available right now on bigadmin is the following: http://www.sun.com/bigadmin/features/articles/ipfilter.html

Comments?
Markus ( Jan 18 2006, 12:45:03 AM PST ) Permalink Comments [1]

Job opening - looking for talented engineers I am currently looking for a talented engineer to work on network virtualization technologies: Virtualization is becoming more and more important for the data center. This poses completely new challenges for Solaris networking. It is quite a paradigm shift to go from what happens in a real network into a virtual network that is hosted on a single machine. For more details please check out: http://www.sun.com/corp_emp/search.cgi?req=542706&p= Markus ( Sep 06 2005, 11:54:33 PM PDT ) Permalink Comments [1]

Ethernet Bridging Most recently my team has started to look into Ethernet Bridging. Michael Lim and Mike Ditto are currently working on a prototype. Ethernet Bridging would give people who need to change their network topology rapidly a lot of flexibility. It would allow them to add new machines into an existing network without having to reconfigure all of the routers. More to follow... Markus ( Aug 03 2005, 09:41:49 AM PDT ) Permalink Comments [4]

Solaris Core Technologies - Networking My team is working on a number of cool networking technologies like IP Filter, IPv6 and DHCP. We are just finishing work on IPv6 support for IP Filter and we are now starting out with a new project called Whitney that will define packet filtering hooks in Solaris for both IP Filter as well as 3rd party fire wall and intrusion detection software. Whitney provide a number of advantages like: - Enabling IP Filter between zones - Minimize the performance hit of packet filtering - Provide cleaner interface for packet filtering Another very ambitious project is looking at creating a read-only root file system. This would allow Solaris to make inroads into the appliance market. It also offers a number of security advantages. We are currently trying to scope the project. Stay tuned for updates. Markus ( May 15 2005, 10:28:56 PM PDT ) Permalink Comments [0]