Why Untangle NG Firewall NG Firewall and RAID don’t belong together

RAID, redundant array of independent disks.  RAID is a widely used technique to preserve system integrity in the event of a disk failure.  There are many levels and configurations.  And, not a single one of them belongs in an Untangle NG Firewall server!

That’s bold!  Why?

Let’s start with the most obvious RAID type, a mirror.  If a system administrator deploys Untangle NG Firewall on a mirror, he’s got two choices, software RAID performed by the Operating system, or hardware RAID performed by the hardware. 

Software RAID very appealing because the Debian Linux under the hood has direct support for it.  The only additional apparent cost is the hard disk and connective cable.  You’ll note the use of the word apparent.  Configuring a software RAID during installation isn’t difficult, but it’s not trivial.  It does not come with the ability to perform e-mail or SMS notifications of a drive fault.  And, to make matters worse, in the event of a failure the system often fails anyway, requiring troubleshooting time and often direct intervention to bring the faulted system back online.  All this, when operating under the huge assumption that the secondary drive was synced up properly and not damaged in the process.  Google won’t be very forthcoming about this reality, usually these lessons are learned the hard way.  And, because the solution is unique to the server that it’s installed on, the admin that created it is left alone to service it.  There can be no support from upstream vendors.  Untangle NG Firewall is no exception.

Hardware RAID solves most of the problems associated with software RAID.  A dedicated controller to manage drives abstracts the OS from the physical devices, and usually provides a solid framework to ensure the server will actually stay in operation when a drive faults.  These systems also generally have an easy to use administrative interface for configuration, which supports notifications of failure, easy remediation options, everything an admin needs to administer his server.  The problem?  They’re expensive, at least $300 to get a card that does the job right.  So including the cost of an extra drive, you’re looking at somewhere north of $400 for a RAID solution that will function properly with a Linux based platform, Untangle NG Firewall included.

But, why doesn’t it belong in Untangle NG Firewall?  Untangle NG Firewall is a critical piece of my network hardware why wouldn’t I want to protect it from failure?  The answers to these questions require the administrator to take a step back and examine his goals for the Untangle NG Firewall platform.   First, what is Untangle NG Firewall?  It’s a bridge or router based UTM, sometimes both.  Second, if Untangle NG Firewall should fail what how do I want to react?  Third, how important are the filtration features of my Untangle NG Firewall UTM?  Once these questions are answered, a clearer picture can be drawn of a more realistic path forward. 

In the event Untangle NG Firewall is a bridge, and the filtration features of Untangle NG Firewall are considered secondary to network uptime, the best solution is the use of a hardware bypass network interface, such as what is present in NG-50 and larger NG servers.  These bypass interfaces will fault open, in the event of a software or hardware malfunction.  They require only power from the network devices on either side of the Untangle NG Firewall Bridge to operate.  In the event of a hardware or software failure, in less than 1 minute network connectivity is restored leaving the administrator to manage the faulted Untangle NG Firewall server according to his schedule.

In the event that Untangle NG Firewall is a router, the use of VRRP is best.  This allows for deployment of a second Untangle NG Firewall server, with replicated configuration details to take over in the even the primary server faults.  This configuration not only protects the server from disk faults, but mainboard and power faults as well.  It’s a network appliance!  Treat it like one!

Now that we’ve established easy ways to maintain network uptime, let’s address the specific issue of drive faults once again to bring this all together.  Remember the cost associated with the cost of a RAID upgrade for an Untangle NG Firewall server?  Assuming the $400 solution, and technical time cost the enterprise $100 / hour.  The solution would need to save the enterprise four hours of technical time to break even.  Given the general failure rate of rotational storage at 3 years, that’s four drive faults, or twelve years to pay for itself.  If a cold spare server is out of the budget, simply get a cold spare hard disk.  All NG servers utilize a standard 2.5in SATA interfaced hard disk, just like most laptops.

But, you can’t possibly rebuild an Untangle NG Firewall server in an hour?  Yes, you can!  The Untangle NG Firewall complete subscription comes with a Live Backup feature, this feature replicates the server’s configuration to the Untangle NG Firewall datacenter, and places it within your Untangle NG Firewall store account as frequently as is required to keep a current configuration online.  In the event of a drive failure, an administrator simply needs to swap the drive, reinstall Untangle NG Firewall, and restore the backup.  This process is further accelerated by our NG Recovery System, which can pull a ready to use Untangle NG Firewall installation in less than twenty minutes.  And it works this magic without the need of external installation media, the software is built in!  Swap the drive, reimage, restore.  We’ve assisted administrators through this process in less than an hour the first time though.

RAID is there to save the enterprise from the expense of a massive restore and rebuild operation associated with complex production servers.  Untangle NG Firewall simply doesn’t require this.  Keep your network online, don’t waste money, and stay out of the data closet after hours. 

Skip the RAID, use your head, get Nexgen Appliances hardware with built in recovery.