Post on 27-Dec-2015
Layer 4-7 Application Switches in the Data Centre and beyondHigh Availability, Security, Scalability and Business Continuity
for Critical Applications
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary2
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
Agenda
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary3
• High Availability Resource Down Implies Service Down – Tight Linkage to Service Availability Poor Recovery and Fault Tolerance from Traditional Clustering No Service Resilience During Disasters – Need for Datacenter Redundancy
• Security Increasing Threat from Sophisticated and High-Speed Attacks Minimal Security Built into Traditional Servers and Applications
• Scalability and Performance Scalability Requires Massive Servers and Forklift Upgrades Sub-Optimal Resource Utilization and Poor Service Response Time Performance and Bandwidth Bottlenecks for SSL-Enabled Web Applications
• Manageability Application and Server Proliferation Contributes to Complexity Operational Changes Disruptive to Service
Key Challenges of Business Critical Applications and Server Farms
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary4
FTP
Web Servers
E-Mail Servers
Data Storage and Database
Layer 4-7 Application Switches
Internet and Intranet Users
Mobile and Wireless Users
Web Browsers
SSL Accelerators, Bandwidth Optimizers and Web Caches
DoS Attack Prevention
Financial App Servers
The New Datacenter – High Performance Application Switching with Web Acceleration Superior Application Switching, Security Performance and Scalability
On-Demand and Scalable Web Acceleration and Optimization
Transparent High Performance Web and Non-Web Application Switching
Investment Protection for Servers and Layer 4-7 Switches
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary5
Key Features and Benefits
Efficient Load Balancing
Granular Server and Application Health Checking
Advanced Content Switching
URL, Cookies, SSL ID, HTTP Header, XML, Others
Graceful Shutdown and Slow Start for Server Management
Server Connection Offload with HTTP Persistent Connections
Transparent Support for any IP Application – TCP, UDP, Others
High Availability Load Balancing with Rapid Stateful Failover
Inbound or Outbound Caches
Virtual Application Infrastructure
Layer 4-7 Switch
Application
Switching
Financial Apps
Server Farm
ERP Apps
Web Apps
Transparently Remove
Server from Available
Pool
Add a New Server to
Pool
Health Check Fails
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary6
Dedicated Accelerators Co-Deployed with Application Switches or Embedded within them
SSL Acceleration and Termination
Layer 7 Persistence for SSL Traffic
Transparent HTTP Compression
Centralized Certificate Management
Accelerator Scalability with Load Balancing and Failover
Protection against Accelerator Failures – Rapid Failover and Automatic Failure Detection
SSL and Web Accelerators
Virtual Application Infrastructure
Application Switches
Application Switching Web Apps
Financial Apps
Server Farm
ERP Apps
SSL Accelerators
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary7
Global Server Load Balancing (GSLB)
GSLB Controller
Datacenter #1
Real Servers Real Servers
ADNS Server
LDNS #1
User Group
LDNS #2
Datacenter #2
User Group
Geographic Scalability for Critical Applications
Multi-Site Redundancy and Disaster Recovery
Optimized Performance and End-User Response Time by Localizing Traffic
Transparently Leverage Existing DNS
Select Best Site for User Based on a Range of GSLB Policies
Direct Users to the Selected Site by Returning Site IP in DNS Response
Re-Direct Users to Available Sites
1
2
3
4
5
1 4
2
3
5
Application SwitchesUsing
GSLB Protocol
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary8
Multi-Site Redundancy with Intelligent Routing Based Global Load Balancing• Direct User Requests to the Nearest Available Site
• Primary/Backup Datacenter Operation with Automatic Site Failover
• Totally Transparent (Leverages Standards-Based Routing Protocols)
• Optimized Performance and End-User Response by Localizing Traffic
• Rapid Service Restoration During Datacenter Failures
Primary DatacenterApplication
SwitchesCritical Applications
Disaster Recovery SiteApplication
Switches Critical Applications
Health MonitorHealth Monitor
UsersUsers
Internet / Extranet
DisasterDisaster
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary9
ISP Link Load Balancing (LLB)
• Utilize all available ISP links simultaneously
• Intelligently balance traffic to achieve optimal utilization
• Gain leverage for price and service
• Aggregate low-capacity links to create “fat” virtual links
Enterprise Network
Router #1
Router #2
Router #3
Internet
ISP1
ISP2
ISP3
Load Balancer
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary10
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
Agenda
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary11
• Application Level Threats are the New Menace Denial of Service Attacks (@ Wire-Speed Gigabit Rates) Viruses, Worms, Illegal Content Spreading via Application Messages Application Resource Abuse E-Mail SPAM
• Key Challenges to Defeating these Threats Host-Based Approaches are Inadequate and Poor to Scale Traditional Network Security is NOT Application Aware Traditional Firewalls Not Designed for High-Performance Protection Lack of Visibility into the Network
• Layer of Defense for Server Farm and Applications Required Purpose-Built Layer 4-7 Application Switches Provide this Defense
New Security Requirements for Emerging Threats
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary12
Protection from Attack for Server Farms and Applications
Legitimate Traffic
Virtual Application Infrastructure
Miss-Critical Application
Servers
Legitimate Client
Application Switch
Blocked Application Messages
HackerMulti-Gigabit Rate Denial of Service Attack
IP Networ
k
IP Networ
k
Denial of Service Attack Protection with SYN-Guard
Application Level Rate Limiting of Server and Client Connections
SPAM Protection and Mitigation with Spam-Def
Always-On sFlow Traffic Monitoring
Virus and Worm Protection with Content Inspection and Filtering
High Performance ACL and NAT
Peak Application Performance while Under Attack
Hardware based Security - Peak Application Performance Under Attack
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary13
High-Performance SYN and ACK DoS Attack Protection Using SYN Cookies
• ServerIron’s Connection Proxy and Smart SYN-Cookie Protects Against TCP ACK Attacks
• Offers Firewall Protection when Deployed in Front of Firewalls
• Protects against SYN and ACK Flood Attacks
Server A
Server B
Serv
ers
TCP SYN
TCP SYN ACK – Special SEQC1
Good
Clien
t B
ad
Clien
t
C2
TCP ACK – Special SEQ
Complete
TCP Connection
TCP SYN
TCP SYN ACK – Special SEQ
BAD TCP ACK – Special SEQ
NO
TCP Connection
Application Switch
Protects Server from
Attack
123
4
123
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary14
Network-Based SPAM Prevention and Mitigation is the New Emerging Trend
• Goal: Block as Much SPAM as Possible @ the Network Minimizes Scope of the Problem by Substantially Reducing SPAM Makes the Problem Manageable with Reasonable Resources at the
Host Level
• Key Requirements: Dynamic Policy Enforcement SPAM Lists Could Run into Millions – Scalability is Critical Lists are Subject to Change – Frequent Download No Open Windows of Opportunity for Spammers
• Scalability and High Availability of Content Solutions Host-Based Solutions will Always be Necessary Targeted Processing Critical to Scale and not go Bankrupt Intelligent Switching and Load Balancing Brings Sanity
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary15
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
Agenda
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary16
Security Market Needs and Trends• Network Perimeter as we knew it is Disappearing
Mobility, Convergence, Remote Access, Growing Internal Threats Need for Security Everywhere in the Network
• Well Established and Agreed Role of Network to Deliver Security Organizations are Gravitating Towards Network-Based Security
Solutions Protection for Infrastructure, Services, Critical Resources
• Moving Beyond the Firewall Without Giving Up on Firewalls Enterprises Endorse the Need for Solutions that Augment Firewalls Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly
• Emerging Vision/Trend of Network-Wide Security is Catching On Network Integration is Seen as Inevitable and Required Solutions that Promote Incremental Steps are Needed
• Growing Attacks and Threats in Content and Service Provider Infrastructure – These Customers Can’t Rely on Firewalls
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary17
Secure Network Architecture Using Layer 4-7 Security Switches
InternetInternet
Secure LAN Switch(Direct Desktop Protection)
Security Traffic Manager(In-Line Inside LAN Protection)
Security Traffic Manager(Perimeter Security)
Network Admission Control Agents on the Desktops
Network Admission Control Agents on the Desktops
Web & Application Servers
Anomaly Based IPS- External Collector, Analyzer- External Closed-Loop Interface
sFlowFrom Switches Edge Port Remediation
Network Manager
sFlow
Secure LAN Switch(Server Farm Protection)
NAC ServerRadius
Web & Application Servers
Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection
Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection
Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter
Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter
sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation
sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation
Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security
Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary18
Application Switch as Firewall Front End
• Most Firewalls DO NOT Provide Robust and High Performance
DoS Offer Wire-Speed ACLs Perform Deep Packet Inspection Offer High Performance Stateful NAT Deliver Application Specific Security
Protection
• Some Firewall Vendors Position L7 Intrusion Devices Behind the Firewalls
• Security Switch Fits In Front of Firewalls to Offload and Augment Delivers Wire-Speed L2/3 and Multi-
Gigabit L4-7 Security
In-Line Security Switch
WAN
WAN
Enterprise Core
Enterprise Core
Traditional Firewall
Perimeter
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary19
Security Switches Inside the Enterprise LAN – Distribution Layer
Poor Performance and Steep Price for Minimal Features, and PC Inside
the Network
Superior Performance, Switch Architecture, Total Security Features
at Attractive LAN Switch Pricing
L4-7 Security Switch
Position it as Internal Firewall in the Enterprise Network Aggregation Layer – Against Likes of CheckPoint InterSpect
SecureIron Traffic Manager Provides High Density Gigabit Aggregation and 10 Gigabit Network Connectivity
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary20
Augment with sFlow for Network-Wide Wire-Speed Visibility• Statistical Sampling Delivers
Visibility to All Traffic Flows Throughout the Network Layer 2 through 7
visibility and analysis
• Scales with Network Size and Speeds with no Performance Impact Technology must be able
to Scale to GbE and 10 GbE rates
• Embedded implementations available today – Free!
December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary21
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
Agenda