The need for (enough) speed

As we progress through each year, one thing is certain – network gear gets faster. Sometimes the increase manifests itself by a move up the Ethernet speed ladder, from 100 to 1,000 or now 10,000M bit/sec. Other times it is marked by faster look-up engines or greater port capacity. In any case, the network vendor’s mantra seems to be: You can never be too fast or have too many ports. But that is starting to change.

This year we’ve conducted validation projects for a series of vendors of security infrastructure and server load-balancers where the focus on enough speed and enough bandwidth – enough to meet or exceed the WAN or LAN access bandwidth that the prospective customer had available to drive the infrastructure gear – was of paramount importance.

To paraphrase a vendor CTO: Why do you need to buy a Gigabit-throughput perimeter security device if your broadband access link will never exceed 100M bit/sec? This fact is nothing new. We’ve seen it when vendors providing VPN solutions to customers running T-1 links would fight over performance – one, say, capable of 50M bit/sec and the other of 70M bit/sec. Both solutions represented such overkill to the measly 1.5M bit/sec delivered by the T-1 that a comparison was academic.

Vendors now seem to recognize the obvious – that their devices can be placed effectively in a variety of configurations, that the key element of that configuration is going to be the access bandwidth, and that this can vary exponentially (T-1 to Fast Ethernet to Gigabit Ethernet) among customers that are in the same class.

A build-to-fit approach makes both practical and economic sense. Being able to buy a box guaranteed to deliver 100M bit/sec – or 1G bit/sec – at an appropriate price is attractive to prospective customers. Interestingly, vendors take different approaches when delivering this bandwidth-oriented solution.

Some use these calibrated bandwidth and throughput delivery levels to select the bill of materials for the box – the components used to construct the appliance. Knowing the target performance levels, it is much easier to right size the components by avoiding buying an overly powerful (and overly expensive) network processor and other components that affect the build cost and, ultimately, the customer’s price. Customers can then buy the model that suits their environment.

Others take what can be called a lock-and-load – or perhaps load-and-lock – approach. They build a single box that can deliver at a variety of performance levels and use license keys to lock it to a certain level. A given box might be able to perform up to 1G bit/sec but will only do so when the appropriate license key is purchased and applied.

The obvious upside to such an approach is that customers can develop their environment without the proverbial forklift upgrade. On the other hand, one wonders whether one might be overpaying for powerful processing that cannot be used (without the upgrade) and might not be necessary to use.

So as you look at your intrusion, encryption, load-balancer and other edge infrastructure, keep your need for speed – now and in the future – in mind.

Tolly is president of The Tolly Group, a strategic consulting and independent testing company in Boca Raton, Fla. He can be reached at ktolly@tolly.com.