Carrier class email security recommendation

todd glassey tglassey at earthlink.net
Mon Apr 12 15:15:19 UTC 2010


On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
> The man did say "carrier class" .. not "small webhost for four
> families and dog".  

yes he did Suresh ... meaning that something larger and more secure than
the off-the-shelf copy of Linux is needed. Funny the NSA and many others
would disagree with you.


> You're talking multiple mailservers + filtering
> gateways / appliances etc, clustered .. 

or layered as stages within a new system design based on GPU's which
allow for the specific assignment of threads of control to specific
processes. Imaging a cloud type environment running in a single GPU with
the abililty to properly map threads to GPU threads.

> rather tough to do that with
> one pizzabox 1U running a linux that's not updated in years and
> configured with webmin.

OK our server is 3U but that was because I wanted bigger fans inside
it... The 1U single TESLA based email GW is exactly what you describe -
a 512 thread CUDA based GPU with serious capabilities therein.

FYI CUDA, and the embedded nVidia GPU's changed that. Do have any idea
how fast the email filters run in a CUDA, I do... and its mindblowing.

Hell the TESLA family of card's 90 to 128 parallel threads of control
per GPU Core can be assigned through CUDA to specific processes and
whamo - more OS horse power than you know what to do with.

The high end cards generally have 2 or 4 GPU's making the total thread
count from 180 to 512 based on the model. The Pentium 4 sports a
whopping four (4) threads of control... 1 per core. We use 8800's for
end-node systems and the larger TESLA based service modules in scaleable
production systems.

The cool part is running NTP in the embedded CUDA card with permanently
assigned TOC's (*threads of control) so that the process never blocks.
That and the 1PPS disciplining makes time available to everything in the
system.

As to who's appliances do and dont' -
-------------------------------------
IronPORT is a FreeBSD type deployment so it does... most of the Linux
Appliance systems can but many of them don't like Barracuda for instance.

In fact you may want to call Barracuda and ask for Stephen Gee or Steven
Pao - both of them will tell you they will not be upgrading to a secure
NTP version for some time unless the customer's demand it.

Their emails (Stephen and Steven's)  are SPao at Barracuda.COM and
SGee at Barracuda.COM so now you can ask them for yourself.


 Or whether that's a bigger constraint than an
> underpowered linux box? :)

Yeah - see a linux box with a Quad Pentium and a CUDA is a carrier class
device especially if its a dual-processor and has redundant bus and
power supplies. In fact these same systems are also used in
submicrosecond trading (aka Algorthmic trading) so yes of course - they
are weak and unscaleable systems right??? (not really Suresh).


> 
> On Mon, Apr 12, 2010 at 7:48 PM, todd glassey <tglassey at earthlink.net> wrote:
>> Yes William, but realize that was an "easiest method" solution. There
>> are any number of others as well.
>>
>> The point is that integrating an appliance type functionality is pretty
>> easy if you bother to take the time.
>>
>> What I really wanted to point out is how many of the devices dont allow
>> authenticated NTP meaning they are worthless from an evidence
>> perspective, something that we as network engineers are constrained by
>> as well.
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tglassey.vcf
Type: text/x-vcard
Size: 133 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100412/2f26808c/attachment.vcf>


More information about the NANOG mailing list