That last point is key.
In talking with our customers and channel partners, many expressed their frustration with the performance of other compute-intensive networking and security products, such as NGFWs, DDoS protection, Web application firewalls and IDS/IPS virtual appliances. The commonality among these seemingly diverse products is that all of them use SSL, which with the advent of the 2048-bit standard has become highly compute-intensive (roughly 5x the demands of the previous 1024-bit standard).
Another commonality is that all of these solutions were originally designed to run on dedicated hardware appliances, in which it is fairly simple to allocate resources to ensure adequate performance. This is not the case in virtual environments; memory and compute resources are shared across multiple VAs. Further compounding the problem: Shared I/O resources. In order to process network traffic at the high performance levels needed for satisfactory QoS, I/O access cannot be constrained. One option is to use SR-IOV (single root input/output virtualization), supported by many hypervisors, which is designed for high performance. However, it is notoriously difficult to source and configure the correct NIC to support a given VA, and moving a VA typically requires a complete reconfiguration.
Some of our customers and partners have attempted to surmount these challenges by turning to “combo” (or integrated) appliances – NGFW combined with SSL VPN, for example. Many of the same problems still exist in this model – resource contention, for example. And rarely, if ever, can all solutions combined in an integrated appliance be considered best of breed.
From the beginning, we envisioned the AVX Series as an open platform that would address these challenges by giving IT managers a choice – of the best-of-breed solutions, as well as of the system resources to ensure performance and quality of services, all while allowing easy provisioning and management. Essentially, the agility of cloud and virtualization, with the performance of dedicated hardware, or, in other words, a network functions platform.
We’ve also implemented SR-IOV within the AVX Series network functions platforms in a manner that resolves the sourcing and configuration headaches posed by virtual environments. Each instance within an AVX appliance has its own guaranteed I/O resources, so there can be no ambiguity in assigning NICs. Further, using our ArrayOS operating system, we’ve abstracted and streamlined the process of SR-IOV configuration.
To complete the vision, Array has begun testing and verifying best-of-breed third-party networking and security appliances to run on the AVX Series network functions platform. Earlier this week, we announced the first validated product in the AVX Series ecosystem – Positive Technologies’ Application Firewall (AF). The PT AF is the only product listed as a Visionary in the Gartner Magic Quadrant for Web Application Firewalls, and features correlation mechanisms to focus on major threats; instant, targeted protection; and evolving security to protect even against zero-day exploits.
For Array customers and partners, the AVX Ecosystem offers the assurance of tested and proven, high quality network and security solutions to mix and match as needed within the AVX Series environment. Deployment and integration guides will provide step-by-step assistance in rolling out these certified third-party solutions.
Our testing with networking and security VAs like Fortinet’s FortiGate next-gen firewall has proved that the AVX Series can deliver between 4x and 5x improvement in performance and throughput over that provided in a virtualized environment using commodity servers, I/O and other resources. In addition, the next AVX version will support management and provisioning of third-party devices via either console (if available) or Virtual Network Computing (VNC) connection using a VNC client such as VNC Viewer.
Better yet, the AVX Series and its ecosystem allows you to consolidate network and security appliances, saving rack space, power and cooling costs as well as overall costs. Our consolidation ROI analysis is below for a scenario involving 32 customers or applications, each requiring about 4 Gbps throughput. Note that we’ve based the analysis on Array ADCs running on an AVX10650; third-party ecosystem VAs may differ slightly:
|Virtual ADC (VA)||Physical ADC (HW)||AVX Series (Platform)|
|# of ADC Instances||32||32||32|
|ADC Cost||2x more
|½ to ¾ the cost|
|Additional Server Cost||Yes||No||No|
|Add’l Hypervisor Cost||Yes||No||No|
|Portable & Fungible||Yes||No||Yes|
Imagine the possibilities that the AVX Series and its ecosystem can deliver for your network. We’re interested in your input; drop us a line in the comment box below and let us know which third-party network and security appliances you’d like to see running on the AVX, or send us any questions or comments you may have.