Inkra Networks' 1518TX Virtual Service Switch

Inkra Networks has taken on the enormous task of virtualizing security operations for the data center with its high-performance security switch. And while our tests found the product to be well architected overall, weak firewall, intrusion-prevention system and VPN applications, and poor management control mar the existing version of this product.

In short, Inkra has a solid vision for this product, but the switch needs more engineering efforts to live up to its potential.

The Inkra 1518TX Virtual Service Switch we tested - running Version 2.1 of Inkra's embedded operating system, which has been shipping since February - is an 18-port (16 10/100 ports and two gigabit interface card ports), 2U device that can simulate as many as 125 racks of security appliances. Using Inkra's terms, a rack is an arbitrary collection of security applications, mixed as needed.

With either a command-line interface or GUI, you stack the applications together and attach the stack to one or more of the physical interfaces on the Inkra device. As an easy starting point, we defined a rack with a firewall and an IPS appliance, and attached it to two virtual LANs  on the same physical port, replacing our existing VLAN-enabled firewall. With Inkra's virtualization architecture, you can build as many racks as you can afford (appliances are licensed on a per-rack basis), using either physical ports or VLANs to move them in and out of the Inkra multi-gigabit backplane.

After spending some time building racks, we uncovered the strengths and weaknesses of Inkra's approach. Unlike firewall vendors such as NetScreen Technologies and Cosine that have attempted to build virtual firewalls, Inkra has taken on every security application in the business, re-creating the engineering work needed for these products.

In all, Inkra has built firewall, global server load balancer, local server load balancer, intrusion prevention, Secure Sockets Layer  accelerator, VPN and Web accelerator modules.

Choice is great, but having so many modules with different functions means that Inkra has single-handedly taken on not only the creation of its own virtualization technology, but also every major market segment in the network security and server management space. If you believe in "best of breed" purchasing, this approach won't be attractive to you.

We found rather quickly that Inkra can't hope to match the market leaders with this version of its software. In Inkra's quest to create so many security modules, it has cut corners in terms of features, management and quality-assurance testing.

The intrusion-prevention module threw false-positives because it misinterpreted packets during our tests. Inkra has issued a patch for this bug since we tested. The VPN module had severe performance issues, limiting total throughput to a few megabits per second. Also, the stateful packet-filtering firewall only includes four application-layer gateways, whereas most enterprise firewalls have 10 or more. Plus, the management system had memory leaks that forced us to reboot the management server on multiple occasions.