Manageability, security, and performance are always hot topics in the computing world. At times the focus shifts between them as needs and technologies change, but these areas have remained key vectors of enterprise computing for a long time. However, in many cases these usability vectors conflict with each other. IT managers’ desire for security and manageability may lead to extra applications and process hoops for end users, which can decrease performance. Increasing the ability to remotely and seamlessly manage a pc almost always adds security headaches that must be dealt with. Enterprise IT design is always about finding the right tradeoffs and improving the process over time.

One technology that has been around for quite a while to help improve security is IPsec (aka, IP Security). IPsec is a set of protocols for securing and authenticating IP packets by encrypting their contents in an end-to-end manner. Most people are familiar with IPsec as the underlying technology for facilitating Virtual Private Network (VPN) connections from the outside of an organization’s LAN to inside the network. IPsec secures the Internet to Intranet tunnel in this case.

Using IPsec to set up a VPN can be a bit of a pain because you have to key in an access code or password and it’s far from seamless. On the IT manager’s side, this setup does not eliminate security problems because the VPN tunnel only secures the network pipe once it is established. There is nothing stopping the end user from browsing the web on their work computer or somehow exposing it to a virus before connecting to the corporate network in a secured way. This has a few downsides from a manageability perspective. First, the security is compromised because of potential infections transferred from an insecure network to the corporate network due to lack of continuously active protection. Second, the manageability of this solution is lacking because enterprise systems outside of the corporate network are not manageable until the user manually connects to the VPN gateway.

So while using IPsec to help create a VPN connection provides functionality that is secure and provides outside-in access to the corporate network, it requires additional configuration by the end user, is not seamless for either user or administrator, and is generally provided by an additional application running on the system. This is all non-optimal.

Enter Microsoft* DirectAccess*. In Windows* Server 2008 r2 for servers and Windows* 7* for clients Microsoft* will be supporting a seamless IPsec support layer called DirectAccess*. What this will provide is the ability to integrate the encryption/authentication of IPsec directly into the Operating System so the end user connects securely outside and inside the corporate network to the systems and applications they need via IPsec. Because this is integrated into the OS, the set up of the security and connection details are more seamless from both an IT person and end user perspective. Initial configuration is obviously required, and each IT organization must set up the security policies to their own specifications, but once that is done the system is up and running.

Microsoft*’s implementation of this functionality at the OS level, so each application can have its own secure IPsec tunnel. This can provide secure access both outside and inside of the corporate network. Up until recently, using IPsec internally has not been of much focus, but recent estimates suggest 80% of successful attacks come from internal threats, so encrypting and authenticating internal data is now in focus for IT administrators. Microsoft* DirectAccess* allows for this new seamless security model.

Now this all sounds well and good… but what’s the catch? Well, a key angle here to note is that IPsec is a highly CPU intensive technology. Encryption and decryption of IP packets in real time can easily swamp a CPU core when attempting to push much more than a few hundred megabits of network data. For a typical end user system, a few megabits of data across a few IPsec connection applications will likely not cause much heartache, but for network servers that are hosting potentially thousands of simultaneous IPsec connections while trying to drive multiple Gigabits of I/O the performance results will be much more… uhh, what’s a nice way to say ‘unimpressive’?

In order to solve this issue, Intel networking products offload the computationally expensive encryption engine (AES-128) onto the LAN Controller while the IPsec configuration, management, policy creations etc all remain in the OS to keep usability simple. Intel offers both dual port 1 and 10 Gigabit networking solutions that support not only solid performance on standard networking workloads and advanced virtualization features, but also the ability to offload IPsec in hardware to improve system performance under large IPsec I/O workloads.

For companies looking to enable IPsec into their network environment using DirectAccess*, they have the potential to improve security, reduce complexity, and enhance manageability of their end clients. They just need to remember that in order to make this all work seamlessly on the server side without choking off processing performance, offloading the IPsec workloads to I/O hardware will be a requirement.

Intel® Ethernet® can deliver this support in adapter or down on motherboard form factors while supporting a wide range of Enterprise class performance and virtualization features. So is this a way to improve security and manageability without impacting performance? It seems that way to me.

-----

Ben Hacker

For more information on DirectAccess* -- http://www.microsoft.com/servers/directaccess.mspx

Given the recent intense focus in the industry around data center power management and the furious pace of the adoption of virtualization, it is remarkable that the subject of power management in virtualized environments has received relatively little attention.

It is fair to say that power management technology has not caught with virtualization.

Here are a few thoughts on this particular subject, which I intend to elaborate in subsequent transmittals.

For historical reasons the power management technology available today had its inception in the physical world where watts consumed in a server can be traced to the watts that came through the power utility feeds.  Unfortunately, the semantics of power in virtual  machines have yet to be comprehensively defined to industry consensus.

For instance, assume that the operating system running  in a virtual image decides to transition the system to the ACPI S3 state, sleep to memory.  What we have now is the state of the virtual image preserved in the image's memory with the virtual CPU turned off.

Assuming that the system is not paravirtualized, the operating system can't tell if it's running in a physical or virtual instance. The effect of transitioning to S3 will be purely local to the virtual machine.  If the intent of the system operator was to transition the machine to S3 to save power, it does not work this way.   The virtual machine still draws resources from the host machine and requires hypervisor attention. Transitioning the host itself to S3 may not be practical as there might be other virtual machines still running, not ready to go to sleep.

Consolidation is another technology for reducing data center power consumption by driving up the server utilization rates.  Consolidation for power management is a blunt tool, where applications that used to run in a physical server are now virtualized and squished into a single physical host.  The applications are sometimes strange bedfellows.  Profiling might have been done to make sure they could coexist, as a priori, static exercise with the virtual machine instances treated as black boxes. There is no attempt to look at the workload profiles inside each virtualized instance and in real time.  Power savings come from an almost wishful side effect of repackaging applications formerly running in a dedicated server into virtualized instances.

A capability to map power to virtual machines, in both directions, from physical to virtual and virtual to physical would be useful from an operational perspective.  The challenge is twofold, first from a monitoring perspective because there is no commonly agreed method yet to prorate host power consumption to the virtual instances running within, and second from a control perspective.  It would be useful to schedule or assign power consumption to virtual machines, allowing end users tomake a tradeoff between power and performance.  Fine grained power monitoring would allow prorating power costs to application instances, introducing useful pricing checks and balances encouraging energy consumption instead of the more common method today of hiding energy costs in the facility costs.

Everyone is talking “green-energy” and “power-efficiency” these days. Reducing carbon footprint, renewable energy, CFLs, solar power, biking instead of driving, etc… the list goes on forever. Many people are excited to do something to change power consumption, but as a server administrator - are the proper tools in place?

Many of you have probably experienced the power/efficiency example at home. When the summer gets hot - many of us run to the thermostat and set it accordingly. When it's REALLY hot outside, we tend to twist the dial cooler - knowing all along, that our electric bill will most likely be higher at the end of the billing cycle. So, what do we do?

Some of us just live with the higher bills, some of us turn off the A/C and struggle in the heat - but I'd hope that most of us set the thermostat to a 'livable' temperature - it may not be the coolest, but it's enough to do the job and keep the electricity bills at a more moderate level - in a sense, it's a happy medium. In today's modern age, thermostats are programmable - taking a lot of the guesswork out of our hands and automating many of the old day-to-day temperature functions that our parents had to follow... Intel server platforms are evolving in this realm as well!

As a server admin, do you have the tools and technologies to reduce power consumption? There are several avenues addressing this issue, and I suggest reading the post from Lori Wigle on http://communities.intel.com/openport/community/openportit/server/blog/2007/11/14/data-center-efficiency. The datacenter is different from the desktop… server admins aren’t likely to enable sleep states to save energy – but rather, increase utilization on fewer servers to maximize your performance output in relation to your server footprint.

When was the last time you looked at your server’s power footprint? Do you even know how much power you’re using? Some of you may have some power meters and can monitor a server (or a few servers) at a time… but how many of you can monitor a rack or servers or a datacenter?

What if this capability was built into your current generation Xeon server platform? The good news is that modern processors DO have power management capabilities. Based on the ACPI specs:

Each Pn State is a "notch" in the processor's performance powerband (as seen below)

As these performance notches are set, the processor will lower it's power envelope and reduce the power needed in order to save energy. Just as a note, EIST must be enabled in the BIOS for this performance enhancement to work on your platform.

If you attended Intel’s IDF (Intel Developer Forum) you may have run into a few demos in regards to Datacenter Power Management, my booth showcased 4 current generation Intel Servers based on Bensley/Starlake Xeon DP boards and Xeon 54xx Series (codename Harpertown) Processors.

Here’s a quick video showcasing the demo – and just a note - we’ll be redoing this in a higher-quality format soon – so stay tuned!

Hopefully if you’ve watched the video – you’ve got some questions! The good news is that we have a new website from the Intel Software Network that is focused on Intel® Dynamic Power Datacenter Manager. The site lists the features, system requirements, downloads, and FAQ to get you started!

I’m looking forward to your feedback and questions!

.

Over the past months, you have likely heard about the challenges that data centers in the U.S. and world wide are facing. Energy costs - typically around 10% of an IT budget-could account for 50% of the average IT budget in just a few years.¹ 59% of ITs cite power and cooling as a growth limiter. ² While those challenges may seem daunting, Intel sees many opportunities to improve energy efficiency in nearly every aspect of data center operation that consumes power.

Intel's recently announced Harpertown processors, based on 45nm technology, go a long way toward helping address the issues data centers are facing. Because they deliver up to 2X the performance-per-watt of prior Intel® Dual-Core processors in the same power envelope in the same socket, Intel Xeon® processor 5400 series enables a data center to double its compute capacity or maintain its current compute capacity using half the number of servers. Either way, the energy efficient performance improvements that are delivered are quite impressive.

What is often lost in the discussion of processor power and performance is the fact that they are small but important part of a larger data center system. This system is comprised of the IT equipment (servers, networking, and storage) as well as non-IT support equipment (power delivery, cooling and air handling, and other environmental controls). By looking at the data center holistically, IT organizations can better manage increased compute demands, lower their energy costs and reduce total cost of ownership.

The IT industry, driven by the work of groups such as The Green Grid, is developing a series of metrics to assess data center efficiency as the ratio of useful work output divided by total power consumed by the entire facility³. This holistic view of where the energy is being used has identified large energy efficiency gains in the operational practices of getting power to the IT equipment, where in many cases as little as 50% of the energy is going to the IT equipment.

There are number of approaches to increase data center efficiency based on this holistic view, and they vary widely in terms of investment required and energy savings. In addition to our energy efficient processors and systems, Intel is working collaboratively with industry partners and government organizations to accelerate development and adoption of technologies, products and best practices that can improve data center operations. Examples of options to consider include:

• Purchasing higher efficiency power supplies and mother board components

• Installing higher efficiency Uninterruptible Power Supplies and other power conversion equipment

• Monitoring energy consumption and environmental conditions to develop operational energy policies

• Employing Virtualization to increase utilization and consolidate servers in ratios up to 30:1

• Use of hot & cold aisle layouts and floor vent tiles to prevent hot air from mixing with cold air

• For a more detailed list of ways to increase the efficiency of your data center, click here

How well do you understand the total energy consumption and efficiency of your IT facility? It's likely that there are a number of ways that you can improve your operations to handle the increasing rack densities and growing demand for compute capacity - and make the CFO happy because the power bill goes down as well...

1. Source: Gartner, May 2007

2. Intel DC Users Group 06

3. The Green Grid Data Center Power Efficiency Metric. http://www.thegreengrid.org/gg_content/TGG_Data_Center_Power_Efficiency_Metrics_PUE_and_DCiE.pdf