Xerox evens loads, protects with one device

  • Tim Greene (Network World (US online))
  • 19 June, 2006 11:57

The hosting arm of Xerox has found a way to save money by switching from multiple brands of firewall to a single vendor's whose gear supports other functions as well, enabling the provider to eliminate separate network devices and their separate management consoles.

Based on Xerox's return-on-investment calculations, the Stonesoft firewalls paid for themselves in just over a year when used only as firewalls. But when adding their VPN, content switching and multi-link WAN load-balancing capabilities -- which were not considered when the gear was bought -- the devices have generated more savings, according to Denys Foley, the infrastructure manager for Xerox Global Services in Rochester, N.Y.

"We spend less time setting up VPNs and their policies," he says. "I have also taken my content switches out of the Web farm, and I let the firewalls handle distributing the load among Web servers. I get rid of licenses and training, and I can manage all [these functions] from one console."

Xerox Global Services hosts data for other companies at its data centers in Rochester and in Charlotte, N.C., and requires high-availability links to its customers. That includes high availability for the firewalls that protect the connections, Foley says. So, four years ago, using firewalls from Check Point, Cisco and Network Associates, the company sought separate clustering software to bind multiple firewalls together.

In the course of that search, Foley came across Stonesoft, which makes StoneBeat clustering software for Check Point firewalls and learned that the company's StoneGate firewalls included clustering as a standard feature, so he gave one a try. He liked it and over the past three years has replaced all but two of his old firewalls at Xerox's 20 sites with StoneGates.

"I think the thing that caught our eye more than anything was the management console and the ability to cluster," he says.

The big push for clustering was so if one firewall failed, another automatically assumed its role, making protection reliable enough that Xerox didn't need a second and third firewall administrator shift to be on hand if something went wrong. "Staffing at second shift was three people; after midnight the third shift was one or two," Foley says. "We no longer needed them. The cost of this type of people was very high compared to putting in clustered firewalls."

The firewall management platform generated more savings. Xerox Global Services provides firewall protection for other Xerox divisions, and StoneGate's management software allows system administrators from those divisions to view the logs for their firewalls when they troubleshoot network problems.

"Now they have access to their own firewall logs, so they look at that and can see their traffic is leaving the network," Foley says. "That has cut down on the phone calls and trouble tickets. Before, we first had to prove the problem wasn't the firewall, so now I save a lot of money on all my Xerox sites."

The single firewall brand also reduces training costs because IT staff has to train on just one platform rather than three, as was the case before. And now everyone on the staff can handle any firewall because there is only one brand. "Before, some of my people could handle one of them. Some could do two. I think I had only one that could do all three," he says.

Since turning on the StoneGate firewalls, Xerox has also enabled StoneGate software that balances traffic between the firewalls and the servers they protect, eliminating the need for a Cisco Local Director device that pools the resources of servers so they are used efficiently. "I've eliminated some of [the Directors] that needed to be upgraded, and a pair of them is US$50,000 nowadays," Foley says.

Xerox also uses StoneGate's Multi-Link technology that binds together individual WAN connections into a single logical connection. If one connection fails, the device continues to bond the rest into the largest possible connection. In Xerox's case, redundant 45Mbps connections from a customer site in Los Angeles connect to the Xerox Rochester data center. "I use all 90Mbps bandwidth if I need it," he says.

Once, when one of these connections failed, traffic was maintained on the other without the customer knowing. Xerox was alerted to the failure, but the customer maintained contact with the data center, Foley says.

Many corporations are reluctant to put so much reliance on a single product or on the products of a single vendor. Foley says the combined functionality, consolidated management and the resultant cost savings override that concern, but there is a risk.

"You don't want to bet on somebody that just brought something out for the first time and may be a flash in the pan and disappear," he says. "But you don't always want to take the quick and easy road -- the number one vendor in a field -- just because everyone else does."