[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Answer: Re: [FW1] Rainwall-E vs StoneBeat FullCluster
I'm glad StoneSoft has finally posted their rebuttal to my comparison between Rainwall and StoneBeat FullCluster. I was beginning to wonder if they were still in business. ;-) The method of comparison used by StoneSoft was very misleading, in my opinion. They compared FullCluster version 2.0, with Rainwall version 1.3, when Rainfinity is already shipping Rainwall version 1.5 on Solaris. Furthermore, Rainwall 1.5 is OPSEC certified, and FullCluster 2.0 is not. StoneSoft touts that fact that their "Single-IP" solution eliminates the need to modify the router config, and claims this as their big advantage over Rainwall 1.3. They neglected to mention that Rainwall 1.5 adds a Single-IP option for those who want it. They also tout their fine-grained, per-session load balancing as an advantage over Rainwall's coarse-grained, per-VIP load balancing. Again, they fail to mention that we added fine-grained, per-session load balancing as an option in version 1.5. Version 1.5 also allows symmetric routing enforcement, if desired. Was theirs a fair comparison? I think not. In spite of the uneven playing field they set up, I think their arguments are less than compelling. The alleged "disadvantages" of Rainfinity's Virtual IP technology they name are inconsequential in the real world. For example, StoneSoft says the "problem with a multiple virtual IP approach is the consumption of a large number of IP addresses...many ISPs will subnet external, Internet address space to their customers with a mask that allows only 32 hosts...If you wished to set up 16 node Rainfinity cluster, and assign at least one VIP to each node, you would completely exhaust your address space..." To me, this argument is just plain silly. If an organization is big enough to need and buy a 16-node firewall cluster, I don't think they will have any problem getting 16 registered addresses from their ISP. Is this the worst they can say about Rainwall? Here's another direct quote: "FullCluster uses Ethernet multicast as its means of achieving a configuration of a single MAC address on more than one physical interface. Because multicast sends the same packet to all interfaces at once, and only to the nodes on the cluster, it enables the most efficient use of that network's data capacity." I laughed out loud at this one. It's very impressive that StoneBeat reduces LAN overhead by not sending their packets to all those other machines on the same subnet as the cluster. How many servers other than the firewall itself do you usually have on the external subnet? Zero, because any other configuration would be a major security risk. So what do you call a multicast to all the machines on a subnet? Most sane people would call that a broadcast. All this nonsense is meant to divert your attention from the first part of the sentence, where they admit that "multicast sends the same packet to all interfaces at once". The excessive repetition of every packet to every node in the cluster is their downfall when it comes to performance. With all due respect to the fine folks in Finland, I must admit I was amused by StoneSoft's reply. I especially liked their attempt to duck issues of performance and scalability. The fact is, they can't refute this basic truth: You can add as many nodes as you want to a StoneBeat FullCluster system, but if the machines are on a 10baseT LAN, total cluster throughput will never exceed 10Mbps. On a 100baseT LAN, total throughput will not exceed 100Mpbs, even if you use sixteen very fast servers. Their Single-MAC approach places an upper limit on performance. In fact, as you approach this upper limit, adding nodes to a StoneBeat cluster can actually decrease the throughput of each individual node because you are merely subdividing a fixed amount of bandwidth. To illustrate, here's an analogy: A poor mother has 8 children and only enough money to buy one loaf of bread to feed them. A StoneSoft sales rep suggests she can solve this problem by inviting the neighbor's 8 children over for dinner. The result? Sixteen starving children. When she complains that her children are worse off than they were before, he suggests that she buy a bigger loaf. You might say that the StoneSoft rep failed to address her performance, scalability, and budget requirements. ;-) I do agree with our honored competitor that customers should try both and decide for themselves. More information is available at our website at www.rainfinity.com. Mark L. Decker Rainfinity [email protected]================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|