[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Re: Rainwall-E vs StoneBeat FullCluster
Hi, Since there seems to be more support for a discussion of FullCluster vs. Rainwall, and more people have voiced interest than dissent, I wanted to clarify some points made by Mr. Decker in response to our analysis. As the Check Point mailing list is for OPSEC and other FireWall-1 related issues, and both of our companies are part of that alliance, and make products to compliment Check Point's products, I feel that some discussion on this list can be appropriate, especially in light of the fact that such discussion was solicited by several members of the list. A point of clarification about Mr. Decker's claim that, "The method of comparison used by StoneSoft was very misleading, in my opinion. They compared FullCluster version 2.0, with Rainwall version 1.3, when Rainfinity is already shipping Rainwall version 1.5 on Solaris." We would have been happy to compare FullCluster with Rainwall 1.5, and will do so in the future. However, a couple of weeks ago (even last week), Rainwall 1.5 was not available from Rainfinity's Web site. Mr. Decker made it known in some personal correspondence that the Web site is undergoing revision, and so 1.5 should be available soon. But we tested 1.3, not because we wanted to make an unfair or biased comparison, but because that was the only version available to us at the time. Regarding the "multiple VIP" argument: Mr. Decker notes that a company requiring a 16 node cluster is more than capable of obtaining the required IP address space to support a multiple VIP approach. He then inquired, "Is this the worse they can say about Rainwall?" However, several other points made by Stonesoft regarding the multiple VIP approach, including the configuration of other devices, and the use of gratuitous ARP, to name a few, were left unanswered. If their approach to load balancing and clustering is a viable solution, then why does Mr. Decker make a point that Rainwall 1.5 "...adds a Single-IP option for those who want it"? As for multicast, Mr. Decker noted that a firewall should be the only device on an external network besides the ISP's router, so therefore the use of multicast for efficiency is pointless, as no other device should be there receiving packets. Although having just the firewall on the external network is, indeed, a sound security principle, it is also usually useful to have interfaces on DMZ networks, and internal networks, which would typically have more than just the firewall on them. For large corporations that deploy multiple DMZs and support hundreds of users, the use of broadcast (and gratuitous ARP) vs. the efficiency of multicast becomes a real-world issue pretty quick. Mr. Decker also states, " The excessive repetition of every packet to every node in the cluster is their downfall when it comes to performance." Again, a clarification: Multicast is NOT duplicate packets, one ot each interface...it is the efficient transmission of the same packet to multiple interfaces simultaneously, and only to those members of the group requesting the information. As for the performance issue, we're not trying to duck it. But it is a complicated issue to discuss. Many factors impact the performance of a firewall machine, including the size of packets going through, the configuration of the OS, the use of NAT, encryption and VPNs, the size and complexity of the rule base, the OS used, and more. Even the drivers for the NICs and the switches and cabling used can impact the performance of any network device. The real basic truth, however, is this: the interface itself is often not the source of the bottleneck. Check Point often becomes the bottleneck, as it gets loaded down with complicated rule bases (with Track set to "Long" on EVERY rule even!), multiple VPN connections with 3DES encryption, IPsec, many NAT rules, and more. On a basic installation, the stateful inspection technology will give you approximately 93% of the maximum throughput, without the added complexity mentioned here. The point of load balancing and clustering is therefore to take the load off the firewall software itself...spread it around on multiple machines as equally as possible. FullCluster does just that, and far better than Rainfinity (as we balance connections, not IPs). Even given decent bandwidth through a firewall, routers, switches and the line out to the real world (often a T-1 at 1.5 Mbps) also bottleneck connections. If you need 600 Mbps through a cluster, then you need Gigabit Ethernet anyway...which FullCluster supports, giving you a GB of throughput if you wanted. However, performance numbers are again, something we recommend you try for yourself, or ask a third-party to evaluate. No one can predict or argue how one or the other will perform in any particular configuration. For more information on StoneBeat FullCuster or Rainfinity's Rainwall, see: http://www.stonebeat.com/ http://www.rainfinity.com/ ---------------------------------------------------------------- Mark Boltz Stonesoft, Inc. Network Security Specialist 115 Perimeter Center Place [email protected] South Terraces, Suite 1000 Tel:Atlanta, GA 30346 Cel:USA Fax:http://www.stonesoft.com ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|