Vyatta Interview

Can you tell us about yourself and your company?

 
"My name is Dave Roberts, and I am the vice president of strategy and marketing at Vyatta.
 
Vyatta was created to bring commercial-quality open-source networking products to market.

We believe that open-source has created a profound change in the market place,

shifting the balance of power from large corporations back to the users of products.

Open-source is about cost savings, increased flexibility and choice, and better security.

At Vyatta, we're trying to bring those qualities to the world of network infrastructure products.

 What sets your routing/firewall product apart from others like Zone Alarm, Guarddog, Firestarter and hardware firewalls?

 
Products like ZoneAlarm are host-based firewalls.

They are the kind of product just like the Windows firewall that runs on somebody's desktop.

While products like this can be valuable, they only protect a single machine.

While the can be used on servers, 

they can be difficult to administer when you need to make a rule changes that affects many machines.

This argues for the standard firewall appliance, essentially what you call a "hardware firewall."

A firewall appliance sits in the network and applies security policies to all traffic flowing through the device. You can firewall a whole data center full of servers with a single device. 

This makes it easy to update when policies need to change.

Rather than changing every server, you simply update the rule set in the appliance.

Guarddog is a firewall configuration GUI. It isn't a firewall itself, but allows you to configure other firewalls more simply.
 
Firestarter is a basic firewall that sort of spans the gap between a host-based product like ZoneAlarm and a firewall appliance.

Basically, you can run Firestarter on another distribution of Linux and it will do the firewalling.

In some ways, Vyatta is similar to a firewall appliance or Firestarter when used in a gateway mode: we are a gateway device that firewalls all the traffic flowing through us.

Where we're really different is that we focus on the whole of the gateway problem.

Put another way, the market for routers and firewalls is merging.

People finally looked around and noticed that just about every company has a firewall and a router at the connection to the Internet. 

The market is responding to consolidate those devices.

If you look at what Cisco is doing with the ISR series and Juniper/Netscreen is doing with the ISG series, it's clear that these functions are converging.

So, Vyatta is really following that trend, supporting both strong routing and firewalling features. Whereas a Netscreen product might have good firewalling, but be weak on the routing, or Firestarter doesn't do the routing at all, Vyatta is a complete product with both functionalities.

 How has the open source base of your product helped development?

 Open source has been a great help in our product development. 

We're both a consumer as well as a contributor to open source projects. 

The Vyatta system is based on a customized distribution of Debian GNU/Linux. 

We make use of the Linux kernel's fundamental networking capabilities and then layer a set of protocols such as BGP, OSPF, and DHCP on top of that.

We tie it all together with a CLI and a GUI that a network manager would understand.

To do all that, we rely on some components that are developed outside as well as some that are developed inside. Moving forward, we have been growing our development community.

Because the product is based on Debian, there are a wealth of opportunities for people to get involved and integrate functionality into the system.

 What are your support options?

 
We have three levels of support available today.

 Vyatta provides a number of community support options including a variety of users and 

hackers mailing lists, a wiki, an open bug tracker (Bugzilla), 

and a community Knowledge Base. These are free resources.

 
Vyatta then offers two subscription offerings: Professional and Enterprise.

These both provide updates and tech support through the subscription period

(1-year, 2-year, and 3-year options).

The difference between Professional and Enterprise is basically the hours of support and

the response time guarantee to any issue. Vyatta's web site has more detail.

 How do you do testing?

 
We use a variety of testing techniques. 

We have a couple of automated test beds here at Vyatta to which we're constantly adding tests.

We have dedicated test engineers who exercise the product in ways that the automated testing just can't and are also responsible for adding to the growing test cases.

For things like hardware compatibility testing, we perform some of it ourselves for selected platforms, but then we rely on the community to increase the breadth. 

There is so much diversity of hardware out there that we can't hope to replicate it all ourselves.

 What is the difference between the paid version and the free version?

 
Over time, we have recognized that we serve two different "customers"

with two different goals. First, there is a large community that generally wants the latest features. Second, there is a body of paid users that want a slower rate of change but greater stability.

To address these groups, ur goal is to use a dual train strategy, similar to that used by Red Hat with Fedora and RHEL or Novell with OpenSuse and SLES.

In this model, the community version becomes a fast-paced development version where new features are introduced regularly.

The commercial version is the object of more focussed testing. 

Features propagate from the community version to the commercial version as they are stabilized. Bug fixes propagate from the commercial version back to the community version as problems are identified.

Essentially, the main differences between the two are:

   * The community version will generally have more features.

We're just implementing this strategy right now, however,

and we're a bit out of sync on this.

Currently, the subscription edition has VPN support,

which is not in the community version, but this should change shortly.

   * The subscription edition will generally receive more testing and will be more stable at any point in time for a given feature. This is not to suggest that the community version will be unstable,

but only that it will be the first place where features appear and then mature.

   * Finally, with the subscription edition, you're guaranteed that you can get support from a trained expert as opposed to taking your chances on the mailing lists.

 Will you make a hardware unit for home users?

 
Someday, but not in the near future.

To really address the market of home users and make money doing it,

we need a *VERY* low-cost hardware platform. 

That means porting to something other than x86.

We can do this, but we'll need some hardware partners to help with a clean, low-cost, easy-to-manufacture hardware design.

 Does your software support wireless router functions?

 
Not yet, but that's an oft-requested feature.

 
 Do you work with embedded open source product (Open-WRT,DD-WRT, etc) makers?

 
Not today. In a sense, we're complimentary.

They are really addressing the home users, running on the existing WRT hardware platforms. We're going after the small-to-medium business market where things like hardcore routing are more desired.

 Will you make an embedded version for retail routers like Belkin, etc?

 We'll get there, but not in the short term. 

Again, the reason is that it requires a lot of changes to our build system and we'd probably have to cut down our system dramatically to make it fit in the limited resources provided by those hardware platforms.

 Why should an IT, end user or company use your product?

 Because it fundamentally shifts the user from a proprietary cost-curve to an open cost-curve. 

This is a deep, structural change.

While companies like Cisco make good products, they charge an astronomical price for them. 

For instance, we had one user look at expanding his existing Cisco router with a single Fast Ethernet port to do some additional LAN segmentation.

Cisco charges $1400 for a single Fast Ethernet port for the 1800/2800/3800-series routers!

In my world, that's a standard PCI card at $20. 

This customer realized that he could buy two Vyatta subscriptions for the price of that one Fast Ethernet port.

 Do you work with any other open source companies, distros, etc?

 We have great relations with a number of open source companies. We use a variety of open source software packages internally for our own infrastructure. The Vyatta system is based on a stripped-down version of Debian.

 How does your product setup compare to other products on the market for new users etc?

 Many people tell us that open-source networking products have been around for years. Many users will tell us of their experiences running routing on Sun workstations in the mid-1980s, or even 1990s. That's true, but in all those cases you have a system that fundamentally looks like a Unix system performing networking functions.

At Vyatta, we have taken the stand that a standard network administrator, familiar with products from Cisco, Juniper, and others, should be able to sit down at a Vyatta system and basically feel at home. Rather than dropping the user at a standard Linux bash shell prompt and asking him to edit configuration files with vi or emacs, we provide an integrated CLI like you would find on a "normal" networking system. While we do allow a user to drop down to the bash shell to do something advanced, the normal operation of the system doesn't require it. This means that users don't have to become Unix system admins in addition to network admins. A lot of the knowledge they already have transfers over to Vyatta immediately.

 Do you have add-ons that are verified by Vyatta?

 By add-ons, I'm not sure if you mean hardware or software. If software, at this point we don't have any that are verified by Vyatta that aren't included in the base product. We have based our system on Debian to allow users access to a large catalog of add-ons that might be attractive to them, and we're working on building our community in order to increase the functions and level of integration beyond what you might find with a Debian package, but to date we have not put in place any sort of certification program. This is coming, however, and we do see the need for it.

 What add-ons do you have and support thus far for your products?

 In terms of hardware add-ons, we have a variety of alternative network interfaces for WAN connectivity. Early on, we partnered with Sangoma technologies to tightly integrate support for Sangoma's family of T1/E1 and T3 cards into the Vyatta system. Over time, we'll be expanding that to other hardware interfaces.

 Do you use open and closed testing or just in house testing?

 I'm I provided some detail as to the way we do testing above.

 
 What hardware is supported and where can this information be found on the website and or documents?

 Fundamentally, Vyatta strives to support all modern x86 systems running in 32-bit mode. We have run on processors all the way back to Pentium IIIs. We support all the Ethernet cards supported by the Linux kernel and Sangoma T1/E1 and T3 cards, as described above. We have also put together a hardware testing program we call "Vyatta Ready." You can see which pieces of hardware have been formally tested on the Vyatta web site. See: http://www.vyatta.com/products/hardware_cat.php