Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Answer: Re: [FW1] Rainwall-E vs StoneBeat FullCluster

To: <[email protected]>
Subject: Re: Answer: Re: [FW1] Rainwall-E vs StoneBeat FullCluster
From: "Mark Decker" <[email protected]>
Date: Fri, 6 Oct 2000 09:33:19 -0700
Importance: Normal
In-reply-to: <A38BD0A0B11FD411B4DA00508BCF62C7DF2365@msxatl03itscge.gecits.ge.com>
Reply-to: <[email protected]>
Sender: [email protected]

I'm glad StoneSoft has finally posted their rebuttal to my comparison
between Rainwall and StoneBeat FullCluster.  I was beginning to wonder if
they were still in business. ;-)

The method of comparison used by StoneSoft was very misleading, in my
opinion.  They compared FullCluster version 2.0, with Rainwall version 1.3,
when Rainfinity is already shipping Rainwall version 1.5 on Solaris.
Furthermore, Rainwall 1.5 is OPSEC certified, and FullCluster 2.0 is not.
StoneSoft touts that fact that their "Single-IP" solution eliminates the
need to modify the router config, and claims this as their big advantage
over Rainwall 1.3.  They neglected to mention that Rainwall 1.5 adds a
Single-IP option for those who want it.  They also tout their fine-grained,
per-session load balancing as an advantage over Rainwall's coarse-grained,
per-VIP load balancing.  Again, they fail to mention that we added
fine-grained, per-session load balancing as an option in version 1.5.
Version 1.5 also allows symmetric routing enforcement, if desired.  Was
theirs a fair comparison?  I think not.

In spite of the uneven playing field they set up, I think their arguments
are less than compelling.  The alleged "disadvantages" of Rainfinity's
Virtual IP technology they name are inconsequential in the real world.  For
example, StoneSoft says the "problem with a multiple virtual IP approach is
the consumption of a large number of IP addresses...many ISPs will subnet
external, Internet address space to their customers with a mask that allows
only 32 hosts...If you wished to set up 16 node Rainfinity cluster, and
assign at least one VIP to each node, you would completely exhaust your
address space..."  To me, this argument is just plain silly.  If an
organization is big enough to need and buy a 16-node firewall cluster, I
don't think they will have any problem getting 16 registered addresses from
their ISP.  Is this the worst they can say about Rainwall?

Here's another direct quote: "FullCluster uses Ethernet multicast as its
means of achieving a configuration of a single MAC address on more than one
physical interface. Because multicast sends the same packet to all
interfaces at once, and only to the nodes on the cluster, it enables the
most efficient use of that network's data capacity."  I laughed out loud at
this one.  It's very impressive that StoneBeat reduces LAN overhead by not
sending their packets to all those other machines on the same subnet as the
cluster.  How many servers other than the firewall itself do you usually
have on the external subnet?  Zero, because any other configuration would be
a major security risk.  So what do you call a multicast to all the machines
on a subnet?  Most sane people would call that a broadcast.  All this
nonsense is meant to divert your attention from the first part of the
sentence, where they admit that "multicast sends the same packet to all
interfaces at once".  The excessive repetition of every packet to every node
in the cluster is their downfall when it comes to performance.

With all due respect to the fine folks in Finland, I must admit I was amused
by StoneSoft's reply.  I especially liked their attempt to duck issues of
performance and scalability.  The fact is, they can't refute this basic
truth:

You can add as many nodes as you want to a StoneBeat FullCluster system, but
if the machines are on a 10baseT LAN, total cluster throughput will never
exceed 10Mbps.  On a 100baseT LAN, total throughput will not exceed 100Mpbs,
even if you use sixteen very fast servers. Their Single-MAC approach places
an upper limit on performance.  In fact, as you approach this upper limit,
adding nodes to a StoneBeat cluster can actually decrease the throughput of
each individual node because you are merely subdividing a fixed amount of
bandwidth.  To illustrate, here's an analogy:  A poor mother has 8 children
and only enough money to buy one loaf of bread to feed them.  A StoneSoft
sales rep suggests she can solve this problem by inviting the neighbor's 8
children over for dinner.  The result?  Sixteen starving children.  When she
complains that her children are worse off than they were before, he suggests
that she buy a bigger loaf.  You might say that the StoneSoft rep failed to
address her performance, scalability, and budget requirements.  ;-)

I do agree with our honored competitor that customers should try both and
decide for themselves.  More information is available at our website at
www.rainfinity.com.

Mark L. Decker
Rainfinity
[email protected]================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re[2]: Answer: Re: [FW1] Rainwall-E vs StoneBeat FullCluster
  - From: Cedric Amand <[email protected]>

References:
- RE: [FW1] W2k beta GUI client ?
  - From: [email protected]

Prev by Date: [FW1] Change of ISP
Next by Date: [FW1] 4.0, Split DNS, and fully qualified domain names
Previous by thread: RE: [FW1] W2k beta GUI client ?
Next by thread: Re[2]: Answer: Re: [FW1] Rainwall-E vs StoneBeat FullCluster
Index(es):
- Date
- Thread