As pointed out by Shawn Nunley on the lb-l mailing list, o3 Magazine did a piece on rolling your own SSL accelerator and load balancer. Lori MacVittie over at F5 (who shares my affinity for cat pictures with grammatically dubious captions) did a cautionary piece suggesting that rolling your own Layer-7 device has some drawbacks to consider.
My take is that yes, rolling your own can be a great way to same some money, and yes as Lori said, rolling your own can end up not saving you as much money as you’d thought. Rolling your own requires two things that you may not have: Talent and time. If you’ve got those, then awesome. If not, a pre-packaged solution may work for you. The merits and drawbacks are issues that can depend on your situation, and are also things upon which reasonable people can disagree.
And if there’s anything the Internet is known for, it’s that it is full of reasonable people (as evidenced by the comments section in Lori’s post).
Third Choice
But the decision isn’t between an expensive (yet impressive) BIG-IP LTM 6900 and a roll-your-own box, there’s a third option in if you need the Layer 7/SSL acceleration, and that’s the value-market. Vendors like KEMP Technologies, Coyote Point Systems, and Barracuda make Layer 7 devices that are much simpler to configure than a roll-your-own box yet cost about the same. You can spend about $10,000 USD and get around 2,000 SSL connections per second, as well as around 200 Mbps of throughput.
There are certainly situations where I’ve had to/greatly benefited from rolling my own. My home data center/laundry room is a perfect example. However, there are many times when using a pre-packaged solution is way better, even if it costs more.
A very nice summary, Tony, as always. I really must use more oddly commented cat pictures; there are so MANY to choose from.
Your “Third choice” is a good one to bring up. There are also a variety of more niche vendors like StrangeLoop (Microsoft specific) and the guys over at LoadBalancer.org have another solution as well that is quite affordable. Not to mention the plethora of XML-focused gateways such as IBM’s DataPower, Forum Systems, Vordel, and recent newcomer Sonoa Systems. It really depends on what you’re trying to achieve – and what kind of applications you need to deliver.
There are a lot of options out there, the important point (somewhat obscured amidst the … passion of the parties involved in the discussion) is doing the research and choosing a solution that best fits both technical and business needs.
Lori
Hi Tony (and Lori!),
I brought up the O3 article because I thought a few might find it interesting. Personally, I can’t imagine any high-revenue company actually attempting to put a major service behind a FOSS roll-your-own SSL accelerator, but you never know.
In my old age, I have come to prefer the fully-baked solutions that come with service agreements! But, it’s nice to see the options are out there. It wasn’t too long ago when people scoffed at the idea of using SSL/TLS for most/all of their traffic.
Best,
Shawn Nunley, CISSP