Michael Lazar stated...
>Marketing hat on.. :-)
>Our firewall is available in an High Availability (HA) configuration
>that will eliminate the "single point of failure" issue.
As a former Tandem Computers employee, it never ceases to amaze me how
High Availability vendors constantly try to say that HA = No Single
Point of Failure. In marketing terms, if its got no single point of
failure, then why say its only "highly available", instead, say its
"Always Available". Maybe its because technically an HA system cannot
"eliminate the "single point of failure" issue"
First of all, Integrix themselves don't even make that claim for their
HA1000, they simply refer to the reality that their HA system provides
complete HARDWARE fault tolerance. Hot swappable devices and dual
motherboards does not "eliminate the "single point of failure" issue".
If you want to eliminate a single point of failure, you have to go
beyond the hardware to software as well. That means that hardware
devices have to be able to share information with redundant processes,
which are both simultaneously running and aware of every programmatic
change. Simply failing over to some already running process and then
hoping you can retrieve state from some roll-back database is not going
to cut it when you're talking about systems which function in real time
at LAN speeds. Sure, you can use this for data input operations, where
a noticeable delay is not going to affect the users ability to input
data, but in a real-time system at LAN speeds, you can't roll-back, the
redundant system has to already be there.
So while it may be good to have an HA system like the Integrix HA1000,
its definitely not a "no single point of failure" system unless the
entire OS and application runs redundantly on both systems in real time
with no roll-back mechanism.
So since the Integrix HA1000 provides nothing in the way of software
fault tolerance specifically, the question is, was NetSeer designed to
provide absolute software fault tolerance when run on this "new"
hardware platform. The next question is at what network speeds was the
failover tested at and proven not to corrupt state information (and who
verified the results)?
Sorry, but I have a big problem with the concept that a failover can
occur and a system will not either loose state, send state information
across an untrusted path, or drop connections while state information
is being updated on the redundant backup after failover. To me, these
three represent new risks for a Firewall to overcome and prove prior to
being able to claim its not going to be a point of failure. Anything
less is simply Highly Available, meaning the down-time is minimized,
not eliminated completely as the claim was made.
R.C. Consulting, Inc. - NT/Internet Security Consulting
ca <-- *note the new address*