1 TECHNICAL BRIEF Networking and High Availability Deployment Note Imperva appliances support a broad array of deployment options, enabling seamless integration into any data center environment. can be configured as a transparent bridge or a non-inline network monitor (sniffer). In addition, the Web Application Firewall supports reverse proxy and transparent proxy deployment. Because of this flexibility, customers can roll out comprehensive application-level security without changing their data center infrastructure. There is no need to reconfigure IP addresses, routing schemes, or applications allowing to easily drop into any network. The appliances protect critical business applications and database servers. Therefore, high availability is an essential customer requirement. To meet this requirement, Imperva offers a range of options that ensure business continuity and application availability. This deployment note describes several networking scenarios and the corresponding high availability configurations for each scenario, including: Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture Active-Active Failover in a Redundant Architecture Fail-open Architecture Active-Passive and Active-Active Failover with IMPVHA Protocol Link Aggregation Network Monitor (Sniffer) Configuration Non-Inline Deployment Non-Inline with Redundant Transparent and Reverse Proxy Configurations (Web Application Firewall only) Load Balancer Integration Active-Passive Failover This note also describes the criteria customers can use to determine the best network and high availability configuration for their environment.
2 Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture In this scenario, two gateways are deployed in an existing highly available architecture. Since each gateway is configured as a layer 2 bridge, any failure to appears to the network simply as if a switch port has failed. Connected devices would recognize that the gateway was not reachable and would automatically redirect traffic around it. Data inspection and analysis is performed es es through a powerful Transparent Inspection engine, so does not need to terminate or rewrite HTTP requests. TCP connections are negotiated directly Diagram of Active-Passive Failover in a Redundant Architecture between the client and the back-end server. Therefore, a failover event does not disrupt TCP connections or affect user sessions. Active-Active Failover in a Redundant Architecture In this deployment scenario, redundant gateways are again deployed in an existing highly available architecture. The only difference is that both gateways transmit traffic simultaneously. Since is configured as a layer 2 bridge, any failure to appears to the network simply as if a switch port has failed. Connected devices would recognize that the gateway was not reachable and would automatically redirect traffic around it. es es As a bridge, transparently inspects traffic without terminating Diagram of Active-Active Failover in a Redundant Architecture TCP connections. So a failover event does not affect user sessions or disrupt TCP connections between the web or database server and the client. Since one gateway has failed, total network capacity will be reduced until the failure is corrected.
3 Fail-open Architecture Fail-open bridge configuration preserves uptime without the cost or management effort of building a redundant architecture. In this scenario, is deployed inline in front of the protected application servers. In the event of a software, hardware, or power failure, s specialized network interface card will detect the failure and physically complete the connection through the gateway. The NIC card will fail open in milliseconds, minimizing network downtime. However, application servers will not be monitored or protected from attacks until the gateway resumes operations. Fail-Open Architecture Diagram Active-Passive and Active-Active Failover with IMPVHA Protocol Imperva developed a proprietary redundancy protocol for environments that do not have a redundant network architecture and Spanning Tree Protocol (STP) cannot be implemented. For some customers, STP convergence times may be unacceptably long or STP may conflict with existing protocols, such as Rapid Spanning Tree Protocol. For these situations, the Imperva High Availability (IMPVHA) protocol is the ideal solution. Pair Pair es es With IMPVHA, two gateways can be configured as layer 2 bridges in either active-passive or active-active mode. The configuration and failover Diagram of Active-Active Failover using IMPVHA mechanism is similar to VRRP, except that when a failover occurs, the backup device informs connected devices to redirect traffic via ARP requests rather than assuming the primary device s IP address. When an IMPVHA pair is deployed, the backup gateway will send periodic loopcheck broadcast messages. If no response is received within the configurable failover time (default is 0.5 seconds), the backup gateway will become active. Since a gateway supports two bridges through its four network interface cards, it is possible to configure one bridge as the IMPVHA primary for one network and the second bridge as a backup for another network. In this configuration, two gateways can support an active-active failover configuration.
4 Link Aggregation One or more gateways can support link aggregation. For example, two interfaces on a gateway can be connected to two interfaces on a network load balancer. Traffic can pass through both connections. For example, uplink traffic can travel through the first interface card while downlink traffic goes through the second interface card. In bridging mode, each gateway includes four network interfaces for application security. So it is possible to aggregate traffic through two connections. If the load balancer has 100Mbps Fast Ethernet interfaces, then aggregating links can also increase total throughput. Even if the traffic is split between the two segments, can accurately inspect all traffic and block attacks. Link Aggregation Diagram If an Ethernet cable is disconnected or a network interface fails, then traffic will continue to be forwarded through the active link on the gateway.
5 Network Monitor Configuration Non-inline Deployment Configuring as a network monitor enables organizations to protect critical servers without introducing a new point of failure. It is a lower price alternative to deploying to or more redundant gateways. To deploy as a network monitor, connect it to an open SPAN port or a network TAP to observe traffic. A second connection to an active port on the switch allows to block malicious connections by sending TCP resets to both the server and the client involved in the session. In the event of a gateway failure, network traffic is unaffected. However, traffic will not be monitored or protected until the gateway becomes operational again. Load Balancer Load Balancer Non-Inline Deployment Diagram Non-inline with Redundant For some organizations, it may be imperative to monitor and audit all Web or database traffic without disruption. These organizations can deploy multiple gateways in non-inline mode. If one of the gateways fail, the other gateway will continue to monitor and record traffic. In this configuration, each gateway should be managed by a separate MX Management Server or by using the integrated software management option. Load Balancer Load Balancer Non-Inline Deployment Diagram with Redundant
6 Transparent and Reverse Proxy Configurations (Web Application Firewall only) is often deployed as a direct replacement for legacy reverse proxy appliances. In most cases, customers choose to configure as a bridge because it fits into the existing architecture and reduces the operational burden associated with Web proxies. However, in some cases, customers deploy as in proxy mode to meet architectural requirements or for content modification. The Web Application Firewall supports both reverse proxy and transparent proxy configurations. Both proxy configurations offer content modification, including cookie signing and URL rewriting. Transparent proxy mode enables transparent deployment without network or DNS changes. Load Balancer Integration In proxy mode, one or more gateways are deployed as either a reverse proxy or a transparent proxy. A load balancer balances the traffic between the gateways and the gateways forward the traffic to the Web servers. It s possible to configure load balancer to work in activeactive or active-passive modes. In this mode, the IP address of the Web site resolves to the gateway s IP address. If SSL is used, then the gateway should be configured to terminate the Diagram of Proxy Mode with Load Balancer Integration SSL connection. Note that in proxy mode, establishes a new connection to the Web server on behalf of the client. Active-Passive Failover VRRP also provides redundancy for two or more gateways configured as reverse or transparent proxies. In this deployment scenario, two gateways are deployed as proxies. The gateways are configured as a VRRP pair (Virtual Router Redundancy Protocol). When the active gateway becomes unavailable, the passive gateway assumes the IP address of the failed gateway and becomes active. VRRP Master Load Balancer VRRP Master Diagram of Active-Passive Failover in Proxy Mode
7 Summary of Network Configuration Modes The best-in-class application security appliances support a wide array of deployment options. customers can select the best deployment scenario based on their network, high availability and ongoing maintenance objectives. So which configuration mode would best suit your needs? That depends on your data center architecture, your business applications, and your performance and operational requirements. For example, if you wish to encrypt cookies or rewrite URLs, you can configure as a proxy. If line speed performance and zero impact deployment are important, then deploy as a layer 2 bridge. The table displayed below describes which network configuration mode you should choose based on your existing network infrastructure and applications and your performance and high availability requirements. Configuration Mode When to Use Bridge When transparent deployment is required Provides drop-in installation Layer 2 operation is transparent to most networks and applications For high performance environments Proxy For seamless replacement of legacy application proxy deployments, cookie signing, and URL rewrite Transparent proxy option for content modification with no network changes Network Monitor For risk-free evaluation and pilot projects To avoid adding new devices to the network The appliance is not inline and won t impact the network When only monitoring and reporting functions are needed Copyright 2014, Imperva All rights reserved. Imperva and are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #TB-NETWORKING-AND-HA-0414rev2
An Accurate and Effective Approach to Protecting and Monitoring Web Applications White Paper Web applications have lowered costs and increased revenue by extending the enterprise s strategic business systems
Barracuda Load Balancer Administrator s Guide Version 2.3 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2008, Barracuda Networks
Network Monitoring and Analysis Techniques Using Taps and SPAN Switches Networks have evolved into complex structures supporting critical business processes and communications. As this complexity has increased,
The recognized leader in proven and affordable load balancing and application delivery solutions White Paper 7 Easy Steps to Implementing Application Load Balancing For 100% Availability and Accelerated
IMPLEMENTATION GUIDE INTEGRATING FIREWALL SERVICES IN THE DATA CENTER NETWORK ARCHITECTURE USING SRX SERIES SERVICES GATEWAY Although Juniper Networks has attempted to provide accurate information in this
Red Hat Enterprise Linux 7 Load Balancer Administration Load Balancer Add-on for Red Hat Enterprise Linux Red Hat Engineering Content Services Red Hat Enterprise Linux 7 Load Balancer Administration Load
5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance DEPLOYMENT GUIDE Prepared by: Jim Puchbauer Coyote Point Systems Inc. The idea of load balancing
Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions Abstract Coyote Point Equalizer appliances deliver traffic management solutions that provide high availability,
CHAPTER 15 This chapter describes the security appliance failover feature, which lets you configure two security appliances so that one takes over operation if the other one fails. This chapter includes
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Any-to-any switching with aggregation and filtering reduces monitoring costs Summary Physical Layer Switches can filter and forward packet data to one or many monitoring devices. With intuitive graphical
White Paper Network Connectivity Intel Advanced Network Services Software Increases Network Reliability, Resilience and Bandwidth Adapter teaming is a long-proven method for increasing network reliability,
White Paper EMC VNXe HIGH AVAILABILITY Overview Abstract This white paper discusses the high availability (HA) features in the EMC VNXe system and how you can configure a VNXe system to achieve your goals
Windows Server 2008 R2 Hyper-V Live Migration Table of Contents Overview of Windows Server 2008 R2 Hyper-V Features... 3 Dynamic VM storage... 3 Enhanced Processor Support... 3 Enhanced Networking Support...
White PAPER 10 Gigabit Ethernet Virtual Data Center Architectures Introduction Consolidation of data center resources offers an opportunity for architectural transformation based on the use of scalable,
McAfee NGFW Reference Guide for IPS and Layer 2 Firewall Roles 5.7 NGFW Engine in the IPS and Layer 2 Firewall Roles Legal Information The use of the products described in these materials is subject to
FortiBalancer: Global Server Load Balancing WHITE PAPER FORTINET FortiBalancer: Global Server Load Balancing PAGE 2 Introduction Scalability, high availability and performance are critical to the success
Linux Virtual Server Administration RHEL5: Linux Virtual Server (LVS) Linux Virtual Server Administration: RHEL5: Linux Virtual Server (LVS) Copyright 2007 Red Hat, Inc. Building a Linux Virtual Server
NETWORK SECURITY NSA 2400 SonicWALL Network Security Appliances Getting Started Guide SonicWALL NSA 2400 Getting Started Guide This Getting Started Guide provides instructions for basic installation and
LoadMaster Deployment Guide For Microsoft Exchange 2010 Updated: November 2011 2002-2011 KEMP Technologies, Inc. All rights reserved. KEMP Technologies and the KEMP Technologies logo are registered trademarks
Appliance Administration Manual v6.21 This document covers all required administration information for Loadbalancer.org appliances Copyright 2014 Loadbalancer.org, Inc. Table of Contents Section A Introduction...7