Firewall Wizards mailing list archives

Re: High Speed Firewalls

From: Bennett Todd <bet () rahul net>
Date: Mon, 6 Mar 2000 12:48:36 -0500

2000-03-06-12:34:47 Mike Barkett:

Imagine the scenario in which a web server has failed, and a
404 error comes up for the main page.  This server will be much
quicker to respond than the full e-commerce/img/java-encrusted
blicki.


More appealing and useful, too!

LD starts sending more and more requests to the failed server, and
you've got a bad situation on your hands.  I have seen it happen
in extremely high-volume e-commerce environments and it's not
pretty.


Nothing is pretty when you have a severely java-encrusted blicki
(nice phrase!), and when you are claiming to be doing e-commerce as
well the whole scene has just turned really really evil.

Hopefully Cisco has fixed or will fix this problem, but even if
they did, the LD would not be the superior product.  You can
set the Alteons to expect a certain string of HTML code, and
regularly monitor that type connection at layer 4.  Now, that
doesn't entirely make up for Alteon's lackluster NAT support, but
that type of monitoring is where Cisco wants to be with their
product.


I can definitely see designs where performance monitoring needs to
be at higher layers of the protocol stack. I'm proud to refrain from
committing such designs, but I can see how they arise.

Another correspondent has pointed out to me that F5's BigIP now
boasts flexible performance monitoring as well, so it sounds like
there's plenty of competition to round things out.

It's an interesting point you raise, though how the L-D's passive,
low-level performance monitoring makes other varieties of screwup
worse than simple round-robin, by favouring a server that's just
shrieking 404 at everything thrown it's way rather than trying to
get interesting work done.

I continue to like the LocalDirector's algorithm very much, and look
forward to finding out whether a BigIP can be configured to do the
same trick, but if I were fielding more fragile servers into the
farm, with more complex and subtle failure modes, I can see where it
could work very poorly indeed.

-Bennett

Attachment: _bin
Description:

Current thread:

Re: High Speed Firewalls, (continued)
- - - Re: High Speed Firewalls Paul D. Robertson (Mar 06)
    - Re: High Speed Firewalls Bennett Todd (Mar 06)
    - Re: High Speed Firewalls Paul D. Robertson (Mar 06)
    - Re: High Speed Firewalls Bennett Todd (Mar 06)
    - Re: High Speed Firewalls Chenggong Charles Fan (Mar 08)
    - Re: High Speed Firewalls Bennett Todd (Mar 12)
    - personal firewalls Randy Grimshaw (Mar 13)
    - Re: personal firewalls Rick Murphy (Mar 21)
    - Re: personal firewalls elad (Mar 21)
    - Re: High Speed Firewalls Mike Barkett (Mar 07)
    - Re: High Speed Firewalls Bennett Todd (Mar 07)
    - Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
    - Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
    - Re: High Speed Firewalls Eric Hall (Mar 13)
  - Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
  - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)

(Thread continues...)