The hosting arm of Xerox has found a way to save money by switching from multiple brands of firewall to a single vendor's whose gear supports other functions as well, enabling the provider to eliminate separate network devices and their separate management consoles.

Based on Xerox's return-on-investment calculations, the Stonesoft firewalls paid for themselves in just over a year when used only as firewalls. But when adding their VPN, content switching and multi-link WAN load-balancing capabilities - which were not considered when the gear was bought - the devices have generated more savings, according to Denys Foley, the infrastructure manager for Xerox Global Services in Rochester, N.Y.

"We spend less time setting up VPNs and their policies," he says. "I have also taken my content switches out of the Web farm, and I let the firewalls handle distributing the load among Web servers. I get rid of licenses and training, and I can manage all [these functions] from one console."

Xerox Global Services hosts data for other companies at its data centers in Rochester and in Charlotte, N.C., and requires high-availability links to its customers. That includes high availability for the firewalls that protect the connections, Foley says. So, four years ago, using firewalls from Check Point, Cisco and Network Associates, the company sought separate clustering software to bind multiple firewalls together.

In the course of that search, Foley came across Stonesoft, which makes StoneBeat clustering software for Check Point firewalls and learned that the company's StoneGate firewalls included clustering as a standard feature, so he gave one a try. He liked it and over the past three years has replaced all but two of his old firewalls at Xerox's 20 sites with StoneGates.

"I think the thing that caught our eye more than anything was the management console and the ability to cluster," he says.

The big push for clustering was so if one firewall failed, another automatically assumed its role, making protection reliable enough that Xerox didn't need a second and third firewall administrator shift to be on hand if something went wrong. "Staffing at second shift was three people; after midnight the third shift was one or two," Foley says. "We no longer needed them. The cost of this type of people was very high compared to putting in clustered firewalls."