[Sidewinder] External load balancer or HA Mode?

Sidewinder moderated discussion list sidewinder at adeptech.com
Tue May 13 15:36:33 EDT 2008 

I've performed numerous installations with load balanced firewalls.  A 
few used policy based routing, one with BigIP, and lots with F5's load 
balancer.  When we migrated away from the Gauntlet firewall, I tested 
the Sidewinder G2.  The G2 FAR outperformed the Gauntlet on a Sun platform.

When you develop you architecture, I think you have to decide on your 
design objectives.  Why have an HA or load balancer at all?  With HA, 
you simply have a backup system, with load balancers the load is 
distributed.

IMO, I don't believe in adding another technology to a design unless it 
is really needed.  The testing I performed on the Sidewinder using 
proxies showed that it easily handled the 100Mbps load I could generate. 
  It could also handle the number of new connections that needed to be 
created each second.  I suspect most sites are deploying the G2 at a WAN 
boundary and don't have 100Mbps requirements.  Actually, I suspect a 
single firewall with reasonable rules can handle around 400Mbps.  So if 
you have a WAN boundary that requires more than 200Mbps or so, don't add 
the headache of a load balancer.

One of the main issues with load balancing is that I don't know of any 
that work when the firewall has three security zones (internal, 
external, DMZ) or more.  Another issue with load balancing is that it 
can be a pain to actually try to determine which firewall is actually 
handling a session, depending on how the firewall actually chooses the 
path to use.  If one firewall is configured differently or having issues 
  with a particular protocol, half of the users may be working fine and 
the other half not.

I would recommend an HA design, since it provides redundancy, can most 
likely handle the load you have, it can support multiple security zones 
easily, the solution is from a single vendor, and the design is rather 
simple.  I would use a load balancer when a single firewall simply can 
not handle the load and you actually need the technology.

That said, I would recommend NOT using firewall features that may 
greatly reduce the overall firewall performance.  I would use the 
Sendmail MTA on Sidewinder only for rather small sites.  Running an MTA 
on any system will greatly increase the disk I/O and lead to slower 
performance, not to mention the potential disk space that could be used 
to store mail when the mail server is down.  Use the SMTP proxy and you 
will get plenty of email throughput.  Also, I don't know why Sidewinder 
ever had an web proxy.  It too can require lots of disk I/O and should 
be avoided.  Use the web proxy.

At one time I know that the virus scanning feature of the web proxy 
caused a huge degradation of web performance.  Since then SCC has moved 
to a different scanning engine and I have never been able to get an idea 
on the effects this had on performance.

I hope this helps.


Sidewinder moderated discussion list wrote:
> Related to the last thread for using BigIP for load balancing
> Sidewinders, I'd like to request comments on the pros and cons of using
> an external load balancer or just using the HA mode built into the
> Sidewinder.  We currently have a setup using Radware's FireProofs to
> load share a pair of Sidewinder appliances.  Assume the applications and
> traffic going through the devices would be for general use from inbound
> serving webpages/files to outbound browsing, ftp and other general
> protocols proxies.  
> 
> In my personal opinion, I found the external load balancer to be related
> to strange issues.  Although the majority of the time everything works
> fine.  I've tested the HA options in Sidewinder 7, and I believe it may
> be beneficial to move towards using the built in HA with load sharing.
> The benefits of an external load balancer noted from previous posts
> were: being able to load share two firewalls, better load balancing with
> traffic/system and easier system changes/updates.  These don't help us
> out too much as we are mainly looking for a redundant, reliable system
> and to be able to utilize both boxes in the pair, rather than a failover
> setup.
> 
> So with that said, would like to hear any comments, suggestions and any
> issues that could relate to using the built in HA.
> 
> Thanks,
> Mike
> 
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder

More information about the Sidewinder mailing list