The announcement last week that Check Point is adding clustering to its VPN and firewall software points out that VPNs are becoming more and more critical for certain applications.
The software feature, called ClusterXL, lets you cable together up to five servers running Check Point VPN-1/Firewall-1 software. If everything is working right, the servers can share the load of VPN traffic that needs encrypting or decrypting as it passes to and from the Internet.
If something goes wrong with one of these gateway servers, the others can pick up the slack without losing sessions. This means that remote devices that are engaged in active sessions with such a server cluster would never see the crash. The VPN sessions just keep running.
One advantage of this arrangement is that if you need to upgrade any or all of the machines, you can unplug them one at a time without shutting down the site or waiting until 3 a.m. when nobody's using it. Another plus is that users can add throughput as a site becomes busier by adding one more server. Their existing server or servers remain in use. Your initial investment is protected.
This clustering functionality is not new. Nokia, for instance, has its Cryptocluster series of VPN equipment that was designed from the operating system on up to be clustered and to maintain sessions. And Check Point partners, such as Compaq, have gone to other vendors including Rainfinity and Stonesoft for specialized clustering software. Added to Check Point's VPN-1/Firewall-1, they are able to offer clustered VPN gateways.
The fact that Check Point is now offering this capability on its own presumably indicates that it has customers who want it. That in turn implies that VPN connections are now being trusted to handle traffic that for business reasons cannot be interrupted - a sign that VPNs have arrived.
The advent of ClusterXL also means higher VPN throughput for sites guarded by VPN-1/Firewall-1. This may be a way of Check Point addressing the perception that VPN vendors that base their equipment on customer processors support higher speeds. Check Point says its current software version, known as Next Generation, is revamped to support higher speeds. ClusterXL is another feature that helps boost speed.
Check Point claims ClusterXL can group five servers for a total VPN throughput of 1.2G bit/sec, which is faster than what its competitors claim. If the software actually delivers on this claim in the real world - something that remains to be seen - it will be an impressive advance that competitors and potential users will have to note.
RELATED LINKS
Tim Greene is a senior editor at Network World, covering virtual private networking gear, remote access, core switching and local phone companies. You can reach him at tgreene@nww.com.
Network World VPNs archive
Past newsletters.
IDG News Service, 11/28/01
Network security's need for speed
Network World, 03/05/01
