layer 4-7 application switches in the data centre and beyond high availability, security,...

Layer 4-7 Application Switches in the Data Centre and beyondHigh Availability, Security, Scalability and Business Continuity

for Critical Applications

December 2004 © 2004 Foundry Networks, Inc.Foundry Networks Confidential and Proprietary2

• Application Challenges and Solutions

• Server Farm and Application Security

• Layer 4-7 Security Switches

• Q&A

Agenda


• High Availability Resource Down Implies Service Down – Tight Linkage to Service Availability Poor Recovery and Fault Tolerance from Traditional Clustering No Service Resilience During Disasters – Need for Datacenter Redundancy

• Security Increasing Threat from Sophisticated and High-Speed Attacks Minimal Security Built into Traditional Servers and Applications

• Scalability and Performance Scalability Requires Massive Servers and Forklift Upgrades Sub-Optimal Resource Utilization and Poor Service Response Time Performance and Bandwidth Bottlenecks for SSL-Enabled Web Applications

• Manageability Application and Server Proliferation Contributes to Complexity Operational Changes Disruptive to Service

Key Challenges of Business Critical Applications and Server Farms


FTP

Web Servers

E-Mail Servers

Data Storage and Database

Layer 4-7 Application Switches

Internet and Intranet Users

Mobile and Wireless Users

Web Browsers

SSL Accelerators, Bandwidth Optimizers and Web Caches

DoS Attack Prevention

Financial App Servers

The New Datacenter – High Performance Application Switching with Web Acceleration Superior Application Switching, Security Performance and Scalability

On-Demand and Scalable Web Acceleration and Optimization

Transparent High Performance Web and Non-Web Application Switching

Investment Protection for Servers and Layer 4-7 Switches


Key Features and Benefits

Efficient Load Balancing

Granular Server and Application Health Checking

Advanced Content Switching

URL, Cookies, SSL ID, HTTP Header, XML, Others

Graceful Shutdown and Slow Start for Server Management

Server Connection Offload with HTTP Persistent Connections

Transparent Support for any IP Application – TCP, UDP, Others

High Availability Load Balancing with Rapid Stateful Failover

Inbound or Outbound Caches

Virtual Application Infrastructure

Layer 4-7 Switch

Application

Switching

Financial Apps

Server Farm

ERP Apps

Web Apps

Transparently Remove

Server from Available

Pool

Add a New Server to

Pool

Health Check Fails


Dedicated Accelerators Co-Deployed with Application Switches or Embedded within them

SSL Acceleration and Termination

Layer 7 Persistence for SSL Traffic

Transparent HTTP Compression

Centralized Certificate Management

Accelerator Scalability with Load Balancing and Failover

Protection against Accelerator Failures – Rapid Failover and Automatic Failure Detection

SSL and Web Accelerators


Application Switches

Application Switching Web Apps

Email

Financial Apps

Server Farm

ERP Apps

SSL Accelerators


Global Server Load Balancing (GSLB)

GSLB Controller

Datacenter #1

Real Servers Real Servers

ADNS Server

LDNS #1

User Group

LDNS #2

Datacenter #2

User Group

Geographic Scalability for Critical Applications

Multi-Site Redundancy and Disaster Recovery

Optimized Performance and End-User Response Time by Localizing Traffic

Transparently Leverage Existing DNS

Select Best Site for User Based on a Range of GSLB Policies

Direct Users to the Selected Site by Returning Site IP in DNS Response

Re-Direct Users to Available Sites

1

2

3

4

5

1 4

2

3

5

Application SwitchesUsing

GSLB Protocol


Multi-Site Redundancy with Intelligent Routing Based Global Load Balancing• Direct User Requests to the Nearest Available Site

• Primary/Backup Datacenter Operation with Automatic Site Failover

• Totally Transparent (Leverages Standards-Based Routing Protocols)

• Optimized Performance and End-User Response by Localizing Traffic

• Rapid Service Restoration During Datacenter Failures

Primary DatacenterApplication

SwitchesCritical Applications

Disaster Recovery SiteApplication

Switches Critical Applications

Health MonitorHealth Monitor

UsersUsers

Internet / Extranet

DisasterDisaster


ISP Link Load Balancing (LLB)

• Utilize all available ISP links simultaneously

• Intelligently balance traffic to achieve optimal utilization

• Gain leverage for price and service

• Aggregate low-capacity links to create “fat” virtual links

Enterprise Network

Router #1

Router #2

Router #3

Internet

ISP1

ISP2

ISP3

Load Balancer





• Q&A

Agenda


• Application Level Threats are the New Menace Denial of Service Attacks (@ Wire-Speed Gigabit Rates) Viruses, Worms, Illegal Content Spreading via Application Messages Application Resource Abuse E-Mail SPAM

• Key Challenges to Defeating these Threats Host-Based Approaches are Inadequate and Poor to Scale Traditional Network Security is NOT Application Aware Traditional Firewalls Not Designed for High-Performance Protection Lack of Visibility into the Network

• Layer of Defense for Server Farm and Applications Required Purpose-Built Layer 4-7 Application Switches Provide this Defense

New Security Requirements for Emerging Threats


Protection from Attack for Server Farms and Applications

Legitimate Traffic


Miss-Critical Application

Servers

Legitimate Client

Application Switch

Blocked Application Messages

HackerMulti-Gigabit Rate Denial of Service Attack

IP Networ

k

IP Networ

k

Denial of Service Attack Protection with SYN-Guard

Application Level Rate Limiting of Server and Client Connections

SPAM Protection and Mitigation with Spam-Def

Always-On sFlow Traffic Monitoring

Virus and Worm Protection with Content Inspection and Filtering

High Performance ACL and NAT

Peak Application Performance while Under Attack

Hardware based Security - Peak Application Performance Under Attack


High-Performance SYN and ACK DoS Attack Protection Using SYN Cookies

• ServerIron’s Connection Proxy and Smart SYN-Cookie Protects Against TCP ACK Attacks

• Offers Firewall Protection when Deployed in Front of Firewalls

• Protects against SYN and ACK Flood Attacks

Server A

Server B

Serv

ers

TCP SYN

TCP SYN ACK – Special SEQC1

Good

Clien

t B

ad

Clien

t

C2

TCP ACK – Special SEQ

Complete

TCP Connection

TCP SYN

TCP SYN ACK – Special SEQ

BAD TCP ACK – Special SEQ

NO

TCP Connection

Application Switch

Protects Server from

Attack

123

4

123


Network-Based SPAM Prevention and Mitigation is the New Emerging Trend

• Goal: Block as Much SPAM as Possible @ the Network Minimizes Scope of the Problem by Substantially Reducing SPAM Makes the Problem Manageable with Reasonable Resources at the

Host Level

• Key Requirements: Dynamic Policy Enforcement SPAM Lists Could Run into Millions – Scalability is Critical Lists are Subject to Change – Frequent Download No Open Windows of Opportunity for Spammers

• Scalability and High Availability of Content Solutions Host-Based Solutions will Always be Necessary Targeted Processing Critical to Scale and not go Bankrupt Intelligent Switching and Load Balancing Brings Sanity





• Q&A

Agenda


Security Market Needs and Trends• Network Perimeter as we knew it is Disappearing

Mobility, Convergence, Remote Access, Growing Internal Threats Need for Security Everywhere in the Network

• Well Established and Agreed Role of Network to Deliver Security Organizations are Gravitating Towards Network-Based Security

Solutions Protection for Infrastructure, Services, Critical Resources

• Moving Beyond the Firewall Without Giving Up on Firewalls Enterprises Endorse the Need for Solutions that Augment Firewalls Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly

• Emerging Vision/Trend of Network-Wide Security is Catching On Network Integration is Seen as Inevitable and Required Solutions that Promote Incremental Steps are Needed

• Growing Attacks and Threats in Content and Service Provider Infrastructure – These Customers Can’t Rely on Firewalls


Secure Network Architecture Using Layer 4-7 Security Switches

InternetInternet

Secure LAN Switch(Direct Desktop Protection)

Security Traffic Manager(In-Line Inside LAN Protection)

Security Traffic Manager(Perimeter Security)

Network Admission Control Agents on the Desktops

Network Admission Control Agents on the Desktops

Web & Application Servers

Anomaly Based IPS- External Collector, Analyzer- External Closed-Loop Interface

sFlowFrom Switches Edge Port Remediation

Network Manager

sFlow

Secure LAN Switch(Server Farm Protection)

NAC ServerRadius

Web & Application Servers

Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection

Wire Speed LAN Switching Security-L2/L4 DoS Attack Prevention-Port, CPU, VLAN, & Rogue Protection

Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter

Security Traffic Mgr. and LAN Switch-Signature based IPS and More-Edge, Aggregation, and Perimeter

sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation

sFlow based Anomaly IPS Solution-Zero-Day Solution-Interface to Network Mgmt. for Remediation

Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security

Application Security and Protection-Web and URL Security-Network-based SPAM, DNS and VoIP Security


Application Switch as Firewall Front End

• Most Firewalls DO NOT Provide Robust and High Performance

DoS Offer Wire-Speed ACLs Perform Deep Packet Inspection Offer High Performance Stateful NAT Deliver Application Specific Security

Protection

• Some Firewall Vendors Position L7 Intrusion Devices Behind the Firewalls

• Security Switch Fits In Front of Firewalls to Offload and Augment Delivers Wire-Speed L2/3 and Multi-

Gigabit L4-7 Security

In-Line Security Switch

WAN

WAN

Enterprise Core

Enterprise Core

Traditional Firewall

Perimeter


Security Switches Inside the Enterprise LAN – Distribution Layer

Poor Performance and Steep Price for Minimal Features, and PC Inside

the Network

Superior Performance, Switch Architecture, Total Security Features

at Attractive LAN Switch Pricing

L4-7 Security Switch

Position it as Internal Firewall in the Enterprise Network Aggregation Layer – Against Likes of CheckPoint InterSpect

SecureIron Traffic Manager Provides High Density Gigabit Aggregation and 10 Gigabit Network Connectivity


Augment with sFlow for Network-Wide Wire-Speed Visibility• Statistical Sampling Delivers

Visibility to All Traffic Flows Throughout the Network Layer 2 through 7

visibility and analysis

• Scales with Network Size and Speeds with no Performance Impact Technology must be able

to Scale to GbE and 10 GbE rates

• Embedded implementations available today – Free!





• Q&A

Agenda

Thank You

layer 4-7 application switches in the data centre and beyond high availability, security,...

Documents

application securitylayer

application switchesinternet

ip application tcp

security performance

scalable web acceleration

server proliferation

traditional servers

ssl id