RE: BigIP/LD/Alteon

["Woeltje, Donald" <dwoeltje () sebh org>]

You're missing the point. I don't know about anyone else but I am talking
about strictly price versus performance (speed only; not features). If one
product has features that you want and another doesn't then you go with the
product that does have what you want. And if it's slower or costs more, then
so be it. I'm not here to tell anyone that the choice they've made is wrong.
Neither should anyone else take it upon themselves to tell someone on this
list that what they've done is wrong or a poor choice. I don't work at your
site, so I'm not in a position to tell you that anything you've done for
your site is a poor choice. Neither am I going to let myself become involved
in a "which product is best" argument because there is no such thing.
Different products work best in different situations.

But the question that brought all this one was whether there was a
"firewall" not a "load balancer" that performed at Gigabit Ethernet speeds
and if there were, which might be the lowest in price. And my opinion was,
and still is, that the ACESwitch 180, with firewall capabilities, is one of
the very fastest and lowest cost "firewalls" (it's not a firewall but can
perform those functions) on the market.

And, for the hard-core firewall proponents out there, I also feel that if
you want (or need) a "firewall" then you purchase a "firewall" (not a router
or a switch). And if that does not give you GigEthernet speeds, then so be
it. That's the cross you'll have to bear. And I also don't believe in the
so-called "integrated" products like NetScreen. In my opinion, if you take
ISS's SafeSuite, Checkpoint's FW-1, Security Dynamics SecurID, Cylink's
PrivateWire, Datafellows F-Secure, Axent Technologies ESM, and NAI's
VirusScan and combine all that into something like NetScreen for about
$1000, somewhere along the like you are going to loose a heck of a lot. You
just are not going to get all the same functionality. Now, maybe on a
straight price vs. performance (speed), products like the NetScreen might be
a better choice but if I have the funds available, I'll go the other route
every time because of the extra functionality (features) I'll be getting.

> -----Original Message-----
> From: Nicholas Tang [SMTP:ntang () nachtwache org]
> Sent: Friday, March 03, 2000 9:45 PM
> To:   firewall-wizards () nfr net
> Subject:      BigIP/LD/Alteon
>
>
> We're evaluating the Alteon switch solution vs. the BigIP solution where
> I work so this is an especially interesting discussion for me.
>
> Basically, the general consensus seems to be that the Alteon does
> everything the BigIP or Cisco LocalDirector does but faster and cheaper.
>
> The reason we're favoring the BigIP so strongly is because of their
> high-availability features - while yes, the high-end unit costs $50,000 a
> pop, it ALSO has several HA features the Alteon switches (if I'm correct)
> don't.
>
> I'll quote from the BigIP FAQ on F5's site:
>
> BIG/ips EAV (Extended Application Verification) is a more sophisticated
> version of ECV, and basically lets you script you own tests, so you can
> perform multiple layers of testing to arrive at the answer: yes its
> working properly, or no, its not working properly. A good example of this
> functionality pertains to an E-commerce site.  BIG/ip can emulate what a
> customer is doing, connect to the site, select an item out of the catalog,
> place it into a shopping cart, run a credit card number to emulate the
> purchase, and makes sure that the credit card transaction is properly
> working. Basically, it allows you to step through everything that a
> customer would normally do. At the end of this process, we know that
> everything is up and running, and its ok to send traffic there. But if
> theres a problem in any of those links in the chain, BIG/ip will know not
> to send traffic there. BIG/ip will continue to test it, and only when it
> starts working properly will BIG/ip send traffic back to it.
>
> Here's Alteon's statement about their HA features:
>
> The CACHEdirector constantly monitors cache, application and content
> availability, bypassing unhealthy caches when it distributes new sessions
> and automatically re-enrolling them upon service restoration.  
> Intelligent application health checking ensures integrity of the entire
> data path, including content retrieval, for services including HTTP, NNTP,
> FTP and DNS.
>
>
>
> Now, admittedly neither is extremely detailed and both were written by
> marketing types, but it seems to me that the BigIP is a clear win there -
> while it's great being able to have your switch make sure your web server
> is responding, we're running a rapidly growing e-commerce site - and if
> the application server on the web server goes down, it can still serve the
> front page and the error page - but the store itself goes all to hell.
> The ability to script a real query and have it hit a fully dynamic,
> database-driven shopping cart page is very important to us.
>
> Is there _anything_ else that can do that?  What we're actually
> considering doing is having a setup like this:
>
>
>                [multiple lines to the internet]
>                          |      |     |
>                    [set of alteon switches]
>                          |      |     |
>           ----------------------+-------------------
>          |                      |                   |
>   [set of bigip's]      [set of bigip's]     [set of bigip's]
>       |  |  |                |  |  |              |  |  |
>       |  |  |                |  |  |              |  |  |
> [pool of webservers] [pool of webservers] [pool of webservers]
>
> Now, obviously that is a ridiculously expensive solution, but it seems to
> be the only one where we can get maximum speed AND a good HA solution.
> We'd start off most likely with a pair of alteons pointed at a pair of
> bigip's and then add on more sets of bigips (and if need be more alteons)
> as the site continues (hopefully :) ) to grow.
>
> Right now we haven't found a single box that presents a magic solution -
> has anyone found a better one?  Does anyone know if the Alteon can indeed
> execute similarly scripted checks and dynamically reconfigure the load
> balancing based on the results as the BigIP claims it can?  For that
> matter, does anyone know if the BigIP really can do everything it says?
>
> Nicholas