So those are the three primary value drivers.
NW: I want to go back to the difference between virtual appliances and being in the kernel. Can you elaborate on that.
MC: One very simple difference thing is, if you're running something in the kernel it's just faster. You don't have the overhead of having a virtual appliance. Now depending on what you're doing, that may or may not matter. Something like a firewall, that really matters because you touch every packet and you have to do this at 10 or more gigs. That's purely a performance issue.
But there's another issue, which is more nuanced and not well understood. If I take a physical appliance and turn it into a virtual appliance I haven't distributed it. If I deploy 10 of these it's just like deploying 10 physical appliances. There's no difference. My background is distributive programming. That's what I did before all this stuff. To distribute you have to rewrite the code so it's distributed, so you can have one view and it looks like one thing, which means you have to share all sorts of state, you have to rewrite the control plane, and you have to rewrite the way the application works.
A lot of companies do this sleight of hand where they'll take a physical appliance and move it to a virtual appliance and deploy them and then put a management layer on top and say, "Oh, look, it's distributed." But the reality is there's no global view. There's only a management side.
There are many problems for which appliances are just fine. For example, on the North/South border you might use virtual and physical appliances, but if you want to scale a service with a global view to handle all of the traffic within the data center, which is terabytes, you need to distribute it.
What we do is create this notion of a distributed firewall. This is a purely logical notion. It's a fully stateful firewall that has one port per VM. So if you have 10,000 VMs you have 10,000 ports in a distributed firewall. And then you take this distributed firewall and chop it into little, little pieces and you run those pieces in the hypervisor kernel, so there's a logical view of this 10,000 port firewall but the reality is only a little piece is running in the kernel.
So every packet still goes at wire speed, but we can also synchronize state if we need to because we're running it as a distributed application. For example, if a VM moves, the state moves with it, or you can share that state and so forth. It's actually written as a distributed application within the kernel. So every kernel has a little piece of this.
Sign up for Computerworld eNewsletters.