Inkra Networks' 1518TX Virtual Service Switch

The devil's in the details of this virtual security switch

By Joel Snyder
Network World, 04/05/04

Original Article on NWW Web site

Inkra Networks has taken on the enormous task of virtualizing security operations for the data center with its high-performance security switch. And while our tests found the product to be well architected overall, weak firewall, intrusion-prevention system and VPN applications, and poor management control mar the existing version of this product.

In short, Inkra has a solid vision for this product, but the switch needs more engineering efforts to live up to its potential.

The Inkra 1518TX Virtual Service Switch we tested - running Version 2.1 of Inkra's embedded operating system, which has been shipping since February - is an 18-port (16 10/100 ports and two gigabit interface card ports), 2U device that can simulate as many as 125 racks of security appliances. Using Inkra's terms, a rack is an arbitrary collection of security applications, mixed as needed.

With either a command-line interface or GUI, you stack the applications together and attach the stack to one or more of the physical interfaces on the Inkra device. As an easy starting point, we defined a rack with a firewall and an IPS appliance, and attached it to two virtual LANs on the same physical port, replacing our existing VLAN-enabled firewall. With Inkra's virtualization architecture, you can build as many racks as you can afford (appliances are licensed on a per-rack basis), using either physical ports or VLANs to move them in and out of the Inkra multi-gigabit backplane.

After spending some time building racks, we uncovered the strengths and weaknesses of Inkra's approach. Unlike firewall vendors such as NetScreen Technologies and Cosine that have attempted to build virtual firewalls, Inkra has taken on every security application in the business, re-creating the engineering work needed for these products.

In all, Inkra has built firewall, global server load balancer, local server load balancer, intrusion prevention, Secure Sockets Layer accelerator, VPN and Web accelerator modules.

Choice is great, but having so many modules with different functions means that Inkra has single-handedly taken on not only the creation of its own virtualization technology, but also every major market segment in the network security and server management space. If you believe in "best of breed" purchasing, this approach won't be attractive to you.

We found rather quickly that Inkra can't hope to match the market leaders with this version of its software. In Inkra's quest to create so many security modules, it has cut corners in terms of features, management and quality-assurance testing.

The intrusion-prevention module threw false-positives because it misinterpreted packets during our tests. Inkra has issued a patch for this bug since we tested. The VPN module had severe performance issues, limiting total throughput to a few megabits per second. Also, the stateful packet-filtering firewall only includes four application-layer gateways, whereas most enterprise firewalls have 10 or more. Plus, the management system had memory leaks that forced us to reboot the management server on multiple occasions.

Inkra engineers clearly have thought hard about how to manage multiple security elements and built an excellent model for network-wide management of many devices with the optional Center Point management system. A virtualization requirement is delegated management, which Center Point covers well. When we went through Inkra's scripted demonstrations, everything worked pretty well. But when setting out on our own to test the product more rigorously, we ran into more rough edges. Although Inkra provided a 2.4-GHz system with 2G bytes of RAM to use as the management server, we found management to be slow, with some screen changes taking as long as 20 or 30 seconds. When we were uncovering another management bug (which Inkra has issued a patch for), we found issues with the debugging tools. We couldn't use these tools to find the answers to simple questions, such as "How many packets are moving from this module to the next?"

One kudo we can give Inkra on its management application is that it has a built-in simple protocol analyzer capability, a great idea for a system without any other way to monitor traffic.

Testing performance

Inkra advertises a 1G bit/sec throughput on the 1518TX, and we found that to be quite optimistic. (See "How we did it.") Performance varied wildly depending on the choice of modules within the rack. In the worst case, we discovered that a combination of VPN, firewall and intrusion-prevention modules limited total throughput of the system to 15,160K bit/sec (about 210 transactions/second). Inkra confirmed that its VPN performance is the bottleneck here and suggested that it intended for the VPN module to be used for remote access and management purposes and not as a site-to-site connection tool.

Additionally, the firewall module was severely constrained by HTTP session establishment rates to about 1,900 sessions per second, whether using short (1K) transactions (throughput of 55M bit/sec) or long (32K) transactions (throughput of 396M bit/sec).

When we added the intrusion-prevention module, transaction rates dropped even further to between 15M and 38M bit/sec.

Inkra faces an uphill battle with this product - even after it works out the kinks in what officials say will be an enhanced quality-assurance process for its next release. As firewall vendors stretch their own products with built-in VPN and IPS feature sets, Inkra will be hard-pressed to keep up. Instead, the virtualization technology will fit better into a data center and service provider environment where requirements on firewalls are more modest, and feature sets, such as virus scanning, HTTP header filtering, and policy-based access controls, are not called for.

As a single-customer, entry-level product, the 1518TX has little cost advantage over the horde of line-speed firewall, VPN and IPS products on the market. However, when stretched to its limits, with fully delegated management across 125 or more customers, the per-customer price drops to a very attractive $640. With that economy of scale, Inkra might have its best chance of success in the service provider market.

Inkra 1518TX
OVERALL RATING
3.3
Company: Inkra Networks Cost: Unit with five virtual racks: $27,000; full configuration including all service modules and 125 virtual racks: $80,000. Pros: Virtualization technology provides deployment flexibility; many applications are available. Cons: Bugs in security and management applications; security applications offer limited features; mediocre performance in our tests.
The breakdown   
Range of applications offered 20% 
5
Application quality 20%  2
Management features 20% 
3
Performance 20% 
3
Flexibility and configurability 15% 
4
Documentation 5%  2
TOTAL SCORE  3.3
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar