August 19, 2011
In the server world, an appliance is a completely enclosed turn-key unit, in which the operating system, application software and client interfaces are integrated into one easy to deploy package. Administrators don’t need to spend nearly as much time managing an appliance as they do a typical server. The hardware and software is pre-installed and configured by the manufacturer and is typically a plug and play device. Very secure, hardened appliances also require no management of security tools such as firewalls and anti-virus software. For several years, Raritan has provided its CommandCenter Secure Gateway centralized management solution in the form of an appliance. Rack mounted hardware and virtualized versions are available. The hardware (or physical) appliance is deployed as a two unit “cluster” for easy primary/secondary redundancy. When added scalability is needed, primary units can be set up in a multi-appliance “Neighborhood”.
Other solutions in the market are available simply as Windows or Linux applications and use what’s known as a “hub & spoke” configuration to enable scalability and redundancy. A hub & spoke solution consists of one primary host or “hub” server and one or more secondary “spoke” servers. Access & management application software is installed on each server in the configuration and are identified as either a hub or a spoke. Each hub & spoke server contains a database for storing user, configuration and system information. Each unit also serves as a point for authentication, user access rights, logging and licensing. One of the servers is assigned “hub” status and contains the system’s master database.
Because CC-SG is provided as a completely enclosed turn-key appliance, the operating system, application software and client interfaces are integrated into one easy to deploy package. Conversely, the leading hub & spoke solution consists of a software package which runs on servers that customers must provide themselves, manage and maintain. While CC-SG customers can look forward to an occasional firmware upgrade, hub & spoke administrators have to worry about maintaining server operating systems, firewalls, anti-virus software, spyware, hardware maintenance and much more.
It’s important to note that while the Neighborhood feature is an excellent option for increased scalability and other benefits, the performance of just one CC-SG exceeds the needs of a vast majority of organizations. A majority of customers install only one primary CC-SG, along with a backup unit if desired (i.e. one cluster). And in most cases, when a Neighborhood is deployed, they consist of only two units. Compare this to a hub & spoke configuration, which often includes three or more servers.
Other key benefits of appliances:
Less Network Overhead: Because CC-SG users enter the Neighborhood through only one of the member units – and can then access any target that’s connected to any other CC-SG in the Neighborhood, there is no synchronization of databases among the primary units. In terms of a cluster, the database of a CC-SG primary/backup cluster is kept in sync in real-time. No scheduled tasks are needed. And because updates are constant, they are very small – instead of scheduled bulk updates.
Network overhead in a hub & spoke configuration is considerably higher. Access to target devices is available from the hub or any of the spokes. And each server also has a role in failover and backup. As a result, to ensure accurate rights management, logging and reporting, significant database synchronization – and therefore significant use of the network – is required.
More Secure Access: CC-SG users access all targets – even those directly connected to and managed by other Neighborhood CC’s – through one “home” CC-SG. Users can use any of the Neighborhood units as their home CC-SG, but there is only one possible point of access to the Neighborhood. Administrators can ensure that all management occurs through one point of access.
Hub & spoke users can enter through any server in the configuration, so access rights management can be a significant chore. And, due to CC-SG’s low security profile, Linux-based appliance architecture, it is much more immune to viruses and hacking.
No Single Point of Failure: With the easy implementation of a CC-SG cluster, customers instantly eliminate any single points of failure. It’s worth noting that CC-SG primary units have an extremely high availability rate and the backup is rarely used.
Conversely, hub & spoke solutions often need to utilize a load balancing switch to help improve performance. In such a configuration, however, the load balancer is a single point of failure because it serves as a “front end” to the hub & spokes that all traffic must travel through first. A CC-SG Neighborhood does not require a “super-unit”, hub, or other single point of system management.
Lower TCO: A vast majority of CC-SG customers utilize a single cluster solution, which supports access to several thousand target devices by dozens, and sometimes hundreds of users, depending on the types of tasks performed. When a Neighborhood is deemed to be a good fit, there is often no need to expand past two primary units for maximum performance.
The typical hub & spoke configuration consists of three or more servers. More spokes means more licensing and warranty costs, more cost of administration, more rack space, more network cabling and more power consumption.
Appliance pricing, licensing and maintenance models are more straightforward and simple. They’re also more cost-effective. In a cluster for example, because only one unit at a time is being used to access IT resources, only a single license fee is charged. This saves customers thousands of dollars relative to the typical hub & spoke solution, which requires duplicate licenses for each server.
To summarize, compared to a more complex hub & spoke approach, which can require significant management overhead of multiple 3rd party servers, constant dB synchronization and complex licensing, appliances enlist a straightforward failover and expansion approach. Licensing is straightforward when compared to the often confusing array of licensing options needed to cover a variety of hub/spoke combinations. As a result, a typical appliance-based solution costs thousands less than a hub & spoke deployment.