Striving for balance

Radware WSD Application Switch II and SysMaster 5000 differ in approach and scalability

LAST WEEK, WE reviewed F5 Networks' BIG-IP 5000 Application Switch, a high-end load balancer with a rich feature set that earned our highest rating of Deploy (see " Fight server overload "). This week we follow with reviews of the Radware WSD (Web Server Director) Application Switch II and the SysMaster 5000, two more worthy systems with impressive load-balancing capabilities.

As is the F5 system, the Radware unit is switch-based, with plenty of 10/100 and even Gigabit Ethernet ports. The SysMaster system is a router-based device, with only one 10/100 Ethernet port in and one out. Whereas the F5 and Radware units will handle very heavy loads and support hundreds or thousands of Web sites, the SysMaster is limited to 100Mbps of bandwidth. Nevertheless, the SysMaster is more than sufficient for most companies wanting to scale their Web sites by distributing the traffic loads across their Web server farms.

Each load balancer we tested has pluses and minuses. The F5 BIG-IP is less expensive than the Radware WSD and includes SSL (Secure Sockets Layer) acceleration and on-site installation support -- but using it to its limits as an SSL accelerator could compromise performance in other areas. The WSD includes protection against DoS (denial of service) attacks and provides excellent integration with other Radware devices, but it is relatively expensive, especially considering the extra cost of support packages. Finally, the Sysmaster costs less than the F5 or WSD system, and it includes a lot of extra functionality -- but has a relatively difficult interface and doesn't have the potential to handle as much bandwidth as the others. For an at-a-glance comparison of features of these three products, see our online chart at

Radware WSD Application Switch II

The Radware WSD has been around for several generations, and it is stable and refined in its setup and management interface. The switch-based architecture includes 16 10/100 Ethernet ports and five GBIC (Gigabit Interface Converter) slots for Gigabit Ethernet.

Setting up the WSD is straightforward, although the difference between the browser-based configuration utility and the stand-alone application is not made overly clear. Further, the browser-based configuration utility still requires installing a fairly large application -- one cannot simply browse to the IP address of the unit to administer it, as with F5's BIG-IP. This is supposed to be possible in the next release, however.

The WSD has a default IP address, which makes configuration simple; rather than dealing with a serial terminal, you install the management application and give it the default IP address. You can then perform the basic configuration, give the unit a real IP address, then reboot it to set up VLANs (virtual LANs), Web farms, and virtual servers.

Radware's documentation is clear and well-written, with lots of screen shots to familiarize the reader with the management interface. The WSD supports a wide range of load-balancing algorithms, including round robin, least traffic, least users, local least traffic and local least users, a special algorithm for NT servers, and two custom-defined algorithms. The local least traffic and local least users algorithms send only to servers in a local group, whereas the least traffic and least users settings allow for multiple groups.

The WSD supports persistence based on source IP address, SSL session ID, and cookies. Ordinarily, a Web client might be sent to a different server for each request. Persistence support enables the load balancer to send a client to a particular server throughout a session -- a capability that is necessary for completing e-commerce transactions and other processes involving exchanges of data.

Maintaining persistence is complicated by the fact that some Internet service providers, such as America Online, may give a client a different IP address every few seconds. Consequently, it is important for load balancers to be able to use something other than the source IP address to identify a client.

Health checking can be done by server, by services such as HTTP or FTP, or by specific URL, which checks to make sure that a specific page on the Web site is operating correctly. E-mail notification of alerts is supported. Other features include bandwidth monitoring and traffic direction based on content, source, or destination.

Redundancy of the load balancer is important to keeping sites up and running. You can have many servers in the Web farm, and no single server crash will bring down the Web site, but if the load balancer goes out, the whole site goes offline. There are two basic redundancy configurations among load balancers, active/active and active/passive. Active/active allows two load balancers to be in operation, servicing separate Web farms, and if one dies the other takes over all traffic for both farms. Active/passive mode puts one device on standby, keeping it inactive until another fails.

The WSD's redundancy features include an active/active mode and session information updates, so that a load balancer taking over for one that fails will get all the information for users connecting through that device. This means that even e-commerce transactions will be preserved if a device fails.

The WSD also detects and defeats a wide variety of hacker attacks, including DoS (denial of service), DDoS (distributed denial of service), ICMP (Internet Control Message Protocol) attacks, buffer overflows, SYN floods, IP spoofing, and others.

Technical support is not included in the base price of the WSD. Radware's CertainT support ranges from $4,320 for business day phone support to $9,000 for four-hour on-site response or an on-site spare.

The WSD is a mature product, well integrated with Radware's other firewall management, caching management, SSL acceleration, traffic management, and WAN link management products. The WSD is a good choice for large corporate Web sites or midsize ISPs.

SysMaster 5000

The SysMaster (SM) 5000 is a new product from a new company in the load-balancing space. The SM 5000 costs significantly less than the F5 and Radware units in our roundup, but is nevertheless feature-rich -- including QoS (quality of service), a firewall, VPN engine, intrusion detection system, geographic load balancing, and outbound routing -- with a relatively low price of $22,100.

However, the SM 5000 is also relatively difficult to administer. The management interface is clumsy compared to the other two devices, and the feature set is relatively unsophisticated. For example, the only choice for persistence is based on source IP address of the client (or a range of IP addresses). This can be a problem if the client is coming from AOL, for instance, which uses several ranges of IP addresses -- putting the burden for discovering and defining those ranges on the administrator.

Initial setup requires a serial terminal or connecting a monitor and keyboard to the system; the latter is the better option because it is not subject to the vagaries of terminal connections. Getting the initial configuration working to allow Web access was problematic because the terminology in the manual was not clear. On the other hand, reaching SysMaster's tech support was easy and fast, and the technician quickly led me through the configuration.

SysMaster's load-balancing and persistence modes offered less flexibility than the other two devices. Load-balancing modes include round robin, weighted round robin, least connections, weighted least connections, optimized weighted round robin, and optimized weighted least connections, but not fastest response or historical trending.

Persistence is limited to source IP or a range, but the range must be manually defined (just try to find out from AOL what their client IP ranges are), and does not include other options such as SSL session ID, cookies, or destination address.

Health checking includes server ping and service checking, which checks for the availability of a service such as a Web server or FTP server on a physical server. Alerts can be sent to the administrator for health checks, security alerts, and traffic-shaping alarms.

Other features include a firewall, traffic shaping and QoS, traffic monitoring, VPN capability, and geographic load balancing, which by itself is a $3,000 add-on to the F5 and Radware products. Redundancy modes include active/active and active/passive.

Geographic load balancing takes advantage of geographically distributed Web sites. For example, a geographic load balancer could send traffic to server farms in Chicago, New York, or Los Angeles, depending on which would provide the fastest response to the client. The SM 5000 can protect against ICMP attacks (ping attacks), reap idle connections to stop DoS attacks, perform source route tracing to stop IP spoofing, and reject SYNs without ACKs to stop SYN floods. The unit also stops teardrop and land attacks.

For a company with a single Web site or for a small ISP, the SM 5000 is a good choice -- as long as you don't need more sophisticated persistence functions, and are willing to wade through the documentation and negotiate a clumsy management interface.

See our related chart, .

See our related chart, .
InfoWorld Scorecard
Interoperability (10.0%)
Innovation (10.0%)
Support (10.0%)
Security (15.0%)
Suitability (15.0%)
Ease of use (10.0%)
Scalability (15.0%)
Implementation (10.0%)
Overall Score (100%)
WSD Application Switch II 10.0 9.0 9.0 10.0 10.0 9.0 10.0 9.0 9.1
SysMaster 5000 9.0 9.0 9.0 9.0 9.0 8.0 8.0 7.0 8.0