Load Balancing Digest

Note: Just a quick disclaimer here, I worked for KEMP in 2006.  I’m still Mr. Neutral when it comes to these devices, but I wanted to make sure there was full disclosure.  As with all reviews, I receive no payment whatsoever for reviews.  Only a big suitcase full of $100s would change that.

KEMP LoadMaster 1500

KEMP is a member of the value market vendors, and their LM-1500 is what put them on the map. Released in late 2005, the $2,500 price tag gained it a lot of fans. At the time, it was the only Layer 7 load balancer at that price range (a few more have introduced products at that price).

The LM-1500 has been reviewed before, but they’ve got some new code coming out that introduces some new functionality (including caching and compression), and they were kind enough to send me over a box with the soon-to-be-released code. (If you have a product you’d like to see reviewed on lbdigest.com, feel free to contact me [tony at lb digest dot com]).

Getting Started

The LM-1500 can be initially configured through either the VGA port with a USB keyboard, or through the serial port.  After it’s given an IP address, the rest of the configuration is done through a web interface.  There’s also a way to configure from the start with a web interface, as it comes up with a 192.168.1.100 IP automatically.

Administration

There is a command line interface, but virtually all of what you need to do can be best done through the web interface.  One of the nice touches they’ve added is the “download root certificate”, which installs a trusted CA cert on your browser to get rid of the annoying but ubiquitous self-signed certificate warning.

Creating a Virtual Service (VIP) is pretty straight-forward.  Give it an IP address and port, select your options (L7, cookies, etc.), and so on. There’s also configuration options for a “sorry server” (if non of your regular servers are up, the LM will send traffic to a sorry server, which can have a some sort of “sorry, we’re not working right now page”.

There’s also a handy stats section, reporting on the various performance metrics of the device.  Most of these metrics are also available through SNMP (for PRTG/MRTG, etc.).

App Delivery Features

The LM-1500 does the standard Layer 4 load balancing, as well as the more advanced cookie-based persistence and web switching.  The only drawback is that you cannot do both web switching and cookie-based persistence at the same time.

There are quite a few options available to a virtual service configuration, including transparency (full-NAT or half-NAT), health checking, and a “sorry server”, for when all the servers in your main web app farm goes down.

SSL certificate management works well as well, making it pretty easy to add/remove/change SSL certificates assigned to virtual servers. The LoadMaster automatically installs a self-signed certificate when you turn on SSL termination, and gives you the option to install CA certs and intermediate certs.  The LoadMaster 1500 does not include an RSA SSL ASIC, however (see the box section for more specifics).

Network Architecture

As I’ve said before in other reviews, one of the aspects missing in in a lot of reviews is how the product fits into the network, so I make a point to include some details.

The LM-1500 operates only in Layer-3 route-path mode, it cannot be used as a Layer-2 bridge-path load balancer.  You must either use the LM-1500 as the default gateway, or use it in non-transparent mode.   One of the easiest ways to put an LM-1500 into a network is the one-armed mode, where the Virtual Service IPs (VIPs) and the real servers all sit on the same subnet.

The LM-1500 also works well in two-armed mode, which is typically when you have the Virtual Service IPs on a public subnet and the real servers on a private RFC1918 address space (such as 192.168.x.x).

The Box

The box itself is of solid metal construction, and doesn’t look or feel “cheap”.  The bright gold is unmistakable, and in addition to being prominent in a data center, it would probably keep me safe on my late night training runs.

Stat-wise, the system is powered by a VIA Eden chip, with 512 MB of RAM which is more than sufficient for this class of system.  On-board storage is solid-state flash, so there are no moving parts (other than a fan) and the system boots very quickly.

There are three 10/100 Fast Ethernet interfaces, each operating in routed mode (the LoadMasters don’t do bridged) so each interface would each be on a different subnet.

The system boasts on on-board SSL chip, however the chip only does the symmetric “bulk” encryption algorithm AES.  Most of the heavy lifting in an SSL connection is done on the asymmetric RSA operations when an SSL connection is established.  While the AES bulk encryption would help tremendously in long lasting download-type connections, it’s of little use for rapid-fire of short lived connections, which is what most web connections are.

Caching and Compression

The newest addition to the LM-1500 (and the other LoadMaster models) is the addition of caching and compression as well as web application firewall abilities.

In its initial deployment, there’s not much you can configure with the caching and compression, other than turning it on or off per virtual service.  I was able to verify that cached objects came from the LoadMaster, and not the server.

With the LoadMaster, compression is actually another method of caching.  Instead of the on-the-fly compression that most other products do, objects are cached by the LoadMaster, and compressable objects are compressed once in the cache.  This doesn’t get you the benefits of on-the-fly compression for dynamic web pages, but it’s much easier on the CPU (there’s no compression ASIC on the LM-1500).

For compression, I used the simple apache.gif file that comes with the Apache distribution.  Normally, it’s 2410 bytes.

Content-Type: image/gif
Content-Length: 2410

Turning on compression, and I see the LoadMaster send back a gzip’d image.

Content-Type: image/gif
Content-Encoding: gzip
Content-Length: 1795

That’s a slight decrease, but not really a fair test since there’s not a lot to compress.  So to give a better test, I saved the main page of lbdigest.com, and the HTML file came out to about 38K.  I put it up as a static page on my test server, and accessed it through my browser.

 Content-Length: 38180

Turning on compression, I accessed the page again:

 Content-Encoding: gzip
 Content-Length: 11041

From 38k to 11k, that’s more than a 3 to 1 compression ratio on the main page.  Not too shabby.  If your clients were on a 56k dialup line, or connecting from a PC in say Bali, Indonesia, that 3 to 1 savings could mean a much faster page load.

With caching and compression, your mileage may vary quite a bit, depending on the nature of your users and the nature of your content.  It could help tremendously, or it could end up slowing your site down significantly, so it’s something that’s best to test first (this is true for any product that does caching).

Wish List:

My wish list would be the ability to exclude/include file extensions (no PHP, yes on JPG, etc.) and some better reporting of cache and compression statistics.

IPS/Web Application Firewall

Another new addition to the LoadMaster is the addition of IPS/WAF (Web Application Firewall) capabilities (the only other value market product to have this capability is the Barracuda, which I have not personally tested).  The LoadMaster uses SNORT-compatible rules (you can get a limited set for free at snort.org) in order to catch malicious requests.  For instance, try to go to “/etc/passwd” (http://domain.com/etc/passwd) as the URI, and the connection will be blocked at the LoadMaster, and won’t be forwarded to the server. Reporting is a basic with this first release as well, with blocked requests being reported through SYSLOG.

08-01-2008 10:10:39 Invalid URL '/etc/passwd' - WEB-MISC /etc/passwd

Having a web application firewall is part of the new PCI-DSS recommendations.

Wish List:

The ability to pull automatic updates and the ability to get your subscription through KEMP (rather than finding SNORT rules on your own) would be my wishlist for this feature.

Conclusion

Overall, this is a very solid release.  The new features (caching, compression, WAF) are going to be very handy for the SMB.  They are a bit sparse in their configuration, but work quite well as a first release.  The same code will run on all of the LoadMaster line, with the only difference is that the LM-2500 and up have SSL accelerator cards (for the RSA heavy lifting, not just AES).

Availability of the new release will be in the next few weeks.