View full video here: DH2i for VPN-less Secure Application Connectivity
Mike Matchett: Hi. I'm Mike Matchett with Small World Big Data. And I'm here today with Don Boxley who is the CEO of DH2I. DH2I started out looking at ways to really help you leverage database virtualization. But now they've got something new in software defined networking and that is really how to create software defined perimeter based networking.
Mike Matchett: And that's something where you say, hey, I've got applications that might be here and servers that might be there and I want them to talk to each other but they're in different networks. One might be in a cloud. One might be on-premises behind firewalls. I don't just want to open that up. I don't want to deal with VPNs. I just want point to point connections defined between services, between those things and let them talk. What's an easy way to do that? That was kind of the problem they tackled. Let's talk to Don about this. Welcome to the show, Don.
Don Boxley: Hey, Mike. Thank you for having me on.
Mike Matchett: Okay. So you're kind of bringing another whole technology to market based on the fact you saw some problems that your other customers are having with database virtualization, moving databases around. What is that problem?
Don Boxley: Well, yeah, yeah. So many of our customers with our current solution can move a database instance say from one host to another just really quickly. They wanted to explore moving those database instances to the cloud. But when they brought us into it and said -- the first question is always, "Okay, do you guys work in the cloud?" You know, it's the easy part. Yeah, we work in the cloud. Many say, "Okay, so how do we do it?" Well, you've got to create a secured connection between your on-premise to the cloud. They say, "How do we do that?" Well, you got to talk to your networking team. They say we'll get back to you. Right.
Don Boxley: You call them up two weeks later. And the conversation you have with them is like, "Well, we talked to networking team. That's a really hard problem. It's probably going to take us like six months to try to figure that out." And we kind of go, oh, that's too bad. Right. So over the last three years, we've been encountering this recurring theme. And so it prompted our development team to think about how could we make this problem easier for our customers. So that was kind of the genesis of it if you will.
Mike Matchett: And you didn't just turn around say like, "Hey, use VPNs," right, and, "Hey, use, you know, the virtual LAN technologies, use those other things that really connect one network to the other." Why now? Why couldn't you just connect the networks?
Don Boxley: Yeah. Because it's just really hard for customers to do that and make sure that it's super secure. When you think about a VPN, I think our customers, by and large, they're large companies, hospitals, governments, a little bit nervous, right. They've got very serious security concerns. I think when they looked at VPNs kind of tunneling into the cloud, they're not happy with the attack surface that a VPN creates, right. When you give somebody a VPN, you basically have given them a slice of your network.
Mike Matchett: Oh, okay.
Don Boxley: Right. So once they've got a slice of your network and they're logged in but if their machine is compromised, right, a malicious attacker can now deploy what is commonly described as a lateral network attack. Basically I'm on your machine and I'm looking to the right and to the left to see what else can I access, what other systems can I get into, right. And so when you think about that and just the issues of making sure that it's properly configured all the time, you've got the right access control lists in place, you've got the right firewall policies in place, it becomes a daunting task for our customers to build those connections to the cloud in a secure way.
Mike Matchett: And firewalls. You just mentioned firewalls and opening, closing certain key ports doesn't really help with that problem.
Don Boxley: No. I mean anytime you open up a port, right, you get -- you know, if you've got to make a connection of VPN, you got to open up a port. Anytime you open up a port, it's susceptible of somebody attacking it, right. I mean it's just a common port scanners. I mean it's just a common methodology for how do I figure out there's no port. It's amazing. The guys will show me. They open up a machine in the cloud and within 30 minutes, a robot or a bot has hit -- it's interrogated any -- interrogate that machine for open ports, right. So it just creates that attack surface that I think a lot of our customers aren't willing yet to to invest in, right.
Mike Matchett: Wow. So instead you guys now -- if I understand this right, you created a different way to connect and have two machines talk to each other. And the best way I describe it is point to point. I think you use the word microtunneling.
Don Boxley: Yeah.
Mike Matchett: And the product is called DXODYSSEY, right.
Don Boxley: That's correct.
Mike Matchett: So DXODYSSEY is your new thing. How does that basically work? What's sort of the thumbnail about how DXODYSSEY connects two things point to point?
Don Boxley: Yeah, yeah. No, it's great. The basic idea is pretty simple, right. I mean you load a piece of software, you load DXODYSSEY into machines that you want them to connect. They then identify themselves to what we call matchmaking service. If you were a trusted directory service, basically say, "This is who I am and I have rights to talk to this other node.".
Don Boxley: And once that's been established and with credentials and like not, the matchmaker services basically tells both nodes, okay, this is how you talk to -- this is where you find the other person, right, the other machine. Once that's done, they form a direct connection and continue on, right, without the matchmaker being involved in it at all. So unlike say a -- what are the classics for I say consumer VPN solutions is you use a third-party proxy, right, to (apscavigate). I think that's how you pronounce it. Yeah, you're presence on the web. But all that traffic goes through a third-party machine. With DXODYSSEY, that's not the case. It's a pure connection between the two endpoints without us being involved.
Mike Matchett: Right. So once that -- and there's a principle for this. I mean there's DNS and there are things that go -- they go, where do I talk to? And then you talk direct and you get out of the way. It's kind of the separation of the data plan and the control plan if you will.
Don Boxley: Exactly.
Don Boxley: And the data point. What I like about the microtunnel then that's created is it's pretty bulletproof, right. It's a hard -- almost a hardened tunnel. It's not --
Don Boxley: Yeah, yeah, yeah, yeah. A couple of things makes this really hard. One is most tunnels are used, well, basically using TCP. What we did is we did something different. We decided the UDP. We chose UDP because it's less commonly used but it's a faster protocol for shipping data between two points. But its issues in the past has been is it that doesn't have any correction so people didn't use it because it tend to get your data garbled. But what we did, we enhanced UDP, we added our own -- we basically took TCP error correction capability and added it to UDP to create our own proprietary UDP protocols. So that solves that problem. So the data is always in order. It's always going to be right on both sides.
Don Boxley: And then we data DTA less encryption. So everything is encrypted. So even if even if a bad guy could figure out that you're actually talking on it as you did before they would know what you're saying that they have they would have no way of interpreting the information. So yeah. All right so it's very hard.
Mike Matchett: And so I've got this ability to make a microtunnel between two things and it really then says I can go from anywhere to anywhere, right? This way, I could be -- I mean --.
Don Boxley: Anywhere. Anywhere to anywhere, right. And that's the great thing. I mean we wanted it so that basically I get -- you know, I could spin up servers and Amazon and Google and Azure and I can create tunnels between them in five minutes without having to talk to anybody, right. Just me by myself with DXODYSSEY running all three machines. I can set up a secure tunnel between them and the outside world wouldn't know that those tunnels exist.
Mike Matchett: Wow. And then those things are talking to each other and I haven't had to go through and create third-party VPNs and work with firewalls and do all this stuff. So I mean that is so great because the less you have to configure it, the lesser is to go wrong. And the less people involved, the more right it's going to be. Now, so I think just on that fact alone, we could stop and you've got some great things going in depth. But there's a couple more bits to this that I just really want to cover and I can't because it's my show.
Mike Matchett: So tell me a little bit about the idea of smart availability because really you did this because you were -- when people do this database virtualization use case you have over here, there's about failing over sometimes doing high availability scenarios and getting the database to move from one place to another. But in this networking site, you've carried that principle forward, right? This technology is designed to set up smart availability configurations, right? So how does that work?
Don Boxley: Yeah, yeah, yeah. So on the database side, right, we have a technology product called "DxEnterprise" which allows us to encapsulate workloads and we can move them from any host to any host anywhere. But when you're -- and that works great when you're on site. But when you move to the cloud which a lot of our customers want to do, there's a problem, how do I make the connection secure? So what we did was with our DXODYSSEY, we brought that same capability to the tunnels. So now the tunnels, right, I can create a tunnel as we described earlier from any host, any other host anywhere, right, on the fly.
Don Boxley: But the key is with smart availability is I can make that tunnel highly available. So instead of just having us -- and we don't recommend this because again, we're thinking about, thinking worst case scenarios, something happens to your machine, you want to have another backup. So we always say have a couple gateways, right, maybe a couple on-premise, a couple in the cloud. And with smart availability, if one of your gateways on on-premise dies, all the tunnel activity will fail over to your second machine, right. So that you've maintained your connection.
Don Boxley: So that's essentially it with smart availability, you can move the tunnels around in a way so that they're always available. And you can always then find the right place for them because it may be like, okay, towards certain times a day, the tunnel is not very active. So maybe I just run them on a VPN, right. Potentially, that's running on-premise or in the cloud but there are certain times of day where I know it's going to be heavy traffic and so I'm going to need a bigger machine to handle that bandwidth.
Don Boxley: So with smart availability, I can just drag and drop if you will the tunnel from that that VM and I can drop it onto a bare metal box someplace to provide that enhanced capability. So that's the heart of smart availability, be able to always find the best execution venue for not only your tunnels but also for your application workloads.
Mike Matchett: Right. So it's not just creating the tunnel, it's fact creating a network of tunnels that can be pre-configure by policy to fail back over to each other or in some smart ordering that you pre-determined and by policy which is cool.
Don Boxley: Yeah.
Mike Matchett: All right now. And then the final thing, just the overhead of doing this, DXODYSSEY sitting on every node. Isn't that going to take a big hit and create a lot of overhead?
Don Boxley: No, it really doesn't. I mean we've designed DX, it's super lightweight, right. So we've done a lot of extensive tests. And you basically can't receive the impact on transit performance with DXODYSSEY engaged, right, because think about it. All DXODYSSEY does is basically tell two machines how to talk to each other, right. Once that's done, it's out of the picture. It's not in the data path. So the performance that you get is basically a hundred percent. It's really tied to how big a pipe you've created from those two machines, right. So I mean worst case, you've got a little dial-up connection which nobody has anymore but you'd be limited to something like 9600 bot.
Mike Matchett: Oh, you had a good modem. I had a 2400 modem.
Don Boxley: Most people, you go and get your gigabit, a big connection so you get all that. But yeah. So once we made the connection, the two machines talked to each other and the gate is again just the physics of the connection between the machines.
Mike Matchett: All right. So that is so awesome. I think we could talk about this for an hour because there's use cases about multi-cloud here that we didn't even get into. So I think where should someone go to find out more information specifically about DXODYSSEY? Is there some part of your website that's focused on this?
Don Boxley: Yeah. They just go to our main website, it's going to be on our front page there, right. DXODYSSEY right in front and simple. Just www.DH2i/dxodyssey. That will get you right to the information on it and help you drive your database connectivity.
Mike Matchett: All right, Don. There is so many good things here. I think this is going to be really big, disruptive even. Thank you for being on the show today and definitely come back when you've got the next announcements on this.
Don Boxley: Okay. Thanks, Mike.
Mike Matchett: All right. Thank you for watching and we'll see you soon. Take care.