Enterprises and carriers looking to deploy load-balancers, high-performance, high-availability firewalls, VPNs, antivirus products and IDSs (intrusion-detection systems) can end up with an unwieldy host of devices on their racks. To make matters worse, very few antivirus products or IDSs support high availability. Enter the Crossbeam X40: a scalable, consolidated system with hot-swappable, redundant components that houses all these applications in a huge 17U chassis that's easy to configure and works as advertised.
This behemoth runs any Linux application, though you may need help from Crossbeam to package and install your applications. The X40 comes at a big price, but that's more than offset by the benefits gained by reducing the number of physical machines--simplified networking with no interconnecting cables, switches or load-balancers to deal with, expandability and a fast backplane (Crossbeam claims 40 Gbps).
The chassis comprises a series of diskless Linux workstations that connect to the operating system via an NFS (Network File Sharing) mount. The X40 Crossbeam I tested in our Syracuse University Real-World Labs® had two network blades, two management blades and five application blades, but the unit can handle a maximum of 10 application blades. The blades are tied together through the backplane to the management and network interfaces. The X40 automatically assigns and reassigns blades for your application needs: Simply ask it to give you two blades for firewalls, and the X40 does the rest. For logging or storage, you can outfit the application blades with a local hard drive.
Crossbeam lets you configure the X40 via a connected console cable, telnet or SSH, or from the Web GUI. The first step is to create Virtual Application Processor (VAP) groups--a selection of blades for failover or load-balancing. Next you need to prioritize the blades for failover. In the event no standby blades are left, you'll have the option to swap out a blade with a lower priority. Although you can give the VAP groups multiple applications to run simultaneously, Crossbeam recommends one application per blade.
I asked the X40 to assign two Check Point Software Technologies firewalls in load-balancing mode, one Snort IDS and Trend Micro's InterScan VirusWall antivirus product to the blades. This left me with one application blade for standby.
Running the Circuit
I indicated the IP addresses of the VAP groups and assigned IPs for the internal and external ports of my firewall and antivirus groups. The Snort IDS sits in promiscuous mode, so I didn't need to assign it an IP. Then I designated the paths over which traffic would flow. I set VirusWall to scan all Web traffic for viruses by using the antivirus product as a Web proxy. I also set up a rule that VirusWall would forward its traffic to one of the Check Point firewalls, and I configured the firewalls as if they were standalone boxes. Finally, I tied my circuits to physical interfaces, and I was ready to test.
SUB: FTP 5,000
I ran 5,000 simultaneous FTP transfers to test connectivity and failover. The X40 displays traffic on a monitoring interface, so I could see which of the two firewalls was inspecting my IP traffic. I pulled the associated blade out of the chassis and watched it fail over to the secondary with only a short pause. The standby blade booted, and within a few minutes I had two firewalls. I questioned the delay and discovered that when a blade is repurposed or removed from standby mode, it has to load a new operating system image.
• New application blades don't load instantaneously
• Expensive
Vendor Info
The Crossbeam X40S, starts at $73,800. Crossbeam Systems, (866) 276-7797, (978) 318-7500. www.crossbeamsystems.com
I set up a client to proxy Web traffic through the antivirus blade's IP. I then tried to download an executable containing the Happy99 virus, and Trend's VirusWall blocked it. Then I gave the VAP assigned to the Trend application a higher priority than the IDS VAP group and failed the Trend. The X40 took down the IDS and brought it back up as a Trend blade. The device can also be configured to fail over to one of the two firewall blades, but one firewall will always be active.
The physical interfaces can also be set up for failover. I assigned the gigabit ports as primaries and the 10/100 UTP ports as backups. When I unplugged the fiber cable, the device failed over seamlessly. You can configure the X40 so it will switch back to the master when it comes online or so an administrator must switch it back manually.
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at mdemaria@nwc.com.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
