Ranch box rounds up multiple functions

Ranch Networks is rolling out its first product, an appliance that combines the capabilities of many single-function boxes by performing tasks that range from firewalling to shaping traffic to imposing quality-of-service rules.

The start-up’s first product, RN20, sits in the traffic flow of a network and can load balance traffic to servers, manage bandwidth, deliver IP multicast traffic and switch traffic at layer 2.

It also includes a firewall that can create up to 12 security zones, each with unique inbound and outbound policies, to segment networks.

Other vendors make boxes that also perform multiple functions – Array, Expand, NetScreen, Packeteer, Peribit, Tipping Point – with a varying mix of capabilities. None of these competitors has a list of functions that matches exactly what the others offer, but they do compete. To match all the features of a Ranch box would require a firewall  appliance, a traffic shaping box, a load balancer and a layer 2 through 4 switch, says Chris Kerr, president of Ubergard Information Security Consulting in Avon, N.Y., which evaluated the RN20.

Some customers might want to pick and choose among firewall, traffic shaping and load balancing vendors, and they would not likely be interested in the device. Epana Networks, a pre-paid calling card company in New York City, considered buying separate Cisco firewalls and accelerators for routers to segment its networks, but RN20 to be less expensive. The initial outlay was a fifth the cost, operating costs were half and the performance was between three and four times better, says Epana CEO Elie Seidman.

He says the cost of multiple, best-of breed devices just didn’t make sense. “You pay an awful lot for the 30% to 40% extra features, but the incremental functionality was functionality we didn’t need,” Seidman says.

Like its competitors, RN20 creates a potential single point of failure for multiple functions, but this can be mitigated by pairing the devices, says Ranch president Brian Allain. Seidman says that with the tight integration among multiple stand-alone devices, if one were to fail, the others would be affected adversely in some way.

But for those who need mainstream capabilities in each area and save on the cost of buying multiple devices, RN20 is good enough, says Alex Sarin, Ranch’s senior vice president of engineering. “For 90% of customers, we are a pretty good fit,” he claims.

 RN20 can carve up a network into 12 segments using a broad range of filtering to define each zone such as port number, subnet, IP address range, MAC address or virtual-LAN tag, for example. This enables internal network security without having to give network devices new addresses.

The box can also prioritize traffic that must pass through congested network links such as WAN connections by identifying traffic type and tagging it according to importance. It load balances using standards such as round robin and weighted round robin.

To do all this the RN20 examines each packet then enforces whatever rules the user has set for that type of packet. “We bust open the packet once and apply whatever policy you want to it,” says Sarin. Packets can be forwarded, dropped, copied, counted, proxied and reformatted resolve network address translation problems, he says.

Multicast traffic can be blocked from designated zones to keep, for example, an executive committee videoconference from reaching the sales department. The box can also replicate traffic and multicast it based on policies.

Zone policies can be changed automatically on the fly by intrusion detection software made by other vendors, says Allain. So if the intrusion detection system decides that, say, a virus has infected devices in a particular zone, the IDS can reconfigure RN20 policies to shut down traffic out of the affected zone via an SNMP interface. That could potentially isolate whatever damage the virus might do, he says.

RN20 has 12 10/100 Ethernet ports for connecting to network devices and can be managed via a Web-based graphical interface, separate network management software based on SNMP or via a command-line interface.

The device is available now and costs $20,000.

Ranch has 15 employees and is backed by about $10 million in funding from Sienna Ventures, MidAtlantic Venture Funds and Blue Rocket Capital. Executives hail from the likes of Avaya, Cajun Networks  and Bell Labs.