Firewall Wizards mailing list archives
RE: BigIP/LD/Alteon
From: "Woeltje, Donald" <dwoeltje () sebh org>
Date: Mon, 6 Mar 2000 08:08:45 -0600
You're missing the point. I don't know about anyone else but I am talking about strictly price versus performance (speed only; not features). If one product has features that you want and another doesn't then you go with the product that does have what you want. And if it's slower or costs more, then so be it. I'm not here to tell anyone that the choice they've made is wrong. Neither should anyone else take it upon themselves to tell someone on this list that what they've done is wrong or a poor choice. I don't work at your site, so I'm not in a position to tell you that anything you've done for your site is a poor choice. Neither am I going to let myself become involved in a "which product is best" argument because there is no such thing. Different products work best in different situations. But the question that brought all this one was whether there was a "firewall" not a "load balancer" that performed at Gigabit Ethernet speeds and if there were, which might be the lowest in price. And my opinion was, and still is, that the ACESwitch 180, with firewall capabilities, is one of the very fastest and lowest cost "firewalls" (it's not a firewall but can perform those functions) on the market. And, for the hard-core firewall proponents out there, I also feel that if you want (or need) a "firewall" then you purchase a "firewall" (not a router or a switch). And if that does not give you GigEthernet speeds, then so be it. That's the cross you'll have to bear. And I also don't believe in the so-called "integrated" products like NetScreen. In my opinion, if you take ISS's SafeSuite, Checkpoint's FW-1, Security Dynamics SecurID, Cylink's PrivateWire, Datafellows F-Secure, Axent Technologies ESM, and NAI's VirusScan and combine all that into something like NetScreen for about $1000, somewhere along the like you are going to loose a heck of a lot. You just are not going to get all the same functionality. Now, maybe on a straight price vs. performance (speed), products like the NetScreen might be a better choice but if I have the funds available, I'll go the other route every time because of the extra functionality (features) I'll be getting.
-----Original Message----- From: Nicholas Tang [SMTP:ntang () nachtwache org] Sent: Friday, March 03, 2000 9:45 PM To: firewall-wizards () nfr net Subject: BigIP/LD/Alteon We're evaluating the Alteon switch solution vs. the BigIP solution where I work so this is an especially interesting discussion for me. Basically, the general consensus seems to be that the Alteon does everything the BigIP or Cisco LocalDirector does but faster and cheaper. The reason we're favoring the BigIP so strongly is because of their high-availability features - while yes, the high-end unit costs $50,000 a pop, it ALSO has several HA features the Alteon switches (if I'm correct) don't. I'll quote from the BigIP FAQ on F5's site: BIG/ips EAV (Extended Application Verification) is a more sophisticated version of ECV, and basically lets you script you own tests, so you can perform multiple layers of testing to arrive at the answer: yes its working properly, or no, its not working properly. A good example of this functionality pertains to an E-commerce site. BIG/ip can emulate what a customer is doing, connect to the site, select an item out of the catalog, place it into a shopping cart, run a credit card number to emulate the purchase, and makes sure that the credit card transaction is properly working. Basically, it allows you to step through everything that a customer would normally do. At the end of this process, we know that everything is up and running, and its ok to send traffic there. But if theres a problem in any of those links in the chain, BIG/ip will know not to send traffic there. BIG/ip will continue to test it, and only when it starts working properly will BIG/ip send traffic back to it. Here's Alteon's statement about their HA features: The CACHEdirector constantly monitors cache, application and content availability, bypassing unhealthy caches when it distributes new sessions and automatically re-enrolling them upon service restoration. Intelligent application health checking ensures integrity of the entire data path, including content retrieval, for services including HTTP, NNTP, FTP and DNS. Now, admittedly neither is extremely detailed and both were written by marketing types, but it seems to me that the BigIP is a clear win there - while it's great being able to have your switch make sure your web server is responding, we're running a rapidly growing e-commerce site - and if the application server on the web server goes down, it can still serve the front page and the error page - but the store itself goes all to hell. The ability to script a real query and have it hit a fully dynamic, database-driven shopping cart page is very important to us. Is there _anything_ else that can do that? What we're actually considering doing is having a setup like this: [multiple lines to the internet] | | | [set of alteon switches] | | | ----------------------+------------------- | | | [set of bigip's] [set of bigip's] [set of bigip's] | | | | | | | | | | | | | | | | | | [pool of webservers] [pool of webservers] [pool of webservers] Now, obviously that is a ridiculously expensive solution, but it seems to be the only one where we can get maximum speed AND a good HA solution. We'd start off most likely with a pair of alteons pointed at a pair of bigip's and then add on more sets of bigips (and if need be more alteons) as the site continues (hopefully :) ) to grow. Right now we haven't found a single box that presents a magic solution - has anyone found a better one? Does anyone know if the Alteon can indeed execute similarly scripted checks and dynamically reconfigure the load balancing based on the results as the BigIP claims it can? For that matter, does anyone know if the BigIP really can do everything it says? Nicholas
Current thread:
- BigIP/LD/Alteon Nicholas Tang (Mar 05)
- <Possible follow-ups>
- RE: BigIP/LD/Alteon Woeltje, Donald (Mar 06)