CHAPTER 4 IMPROVE THE WEB APPLICATION PERFORMANCE BY BYPASSING THE TRAFFIC ON F5 LOAD BALANCER

Transcription

1 67 CHAPTER 4 IMPROVE THE WEB APPLICATION PERFORMANCE BY BYPASSING THE TRAFFIC ON F5 LOAD BALANCER 4.1 INTRODUCTION Web applications usages are wider as they can access over the network. One primary hurdle when accessing the web applications over the network is higher latencies due to poor performance. Users are facing this performance issues when accessing the web applications via URL which were hosted on a web server. Traversal from the user-end can take numerous gateways, hubs and proxies in order to access the web server. Client/users IP s are facing performance hindrances while accessing the web server due to unnecessary routing to proxy servers from the F5-Load balancer. All the users are intended to route to the proxy servers where they will face the collision and contention that leads poor performance to access the web server. Reason of Higher Latencies while Accessing the Web Server When Users start accessing the application, the entire traffic coming from user WAN link is going to proxy server where the content scanning takes place and then the traffic is coming back to load balancer then it is moving to the actual destination server through a firewall. The major issue with proxy server is that they will face the collision and contention that lead to poor performance when

2 68 accessing the web server and which is inducing an additional latency in accessing the destination URL. The solution to this is to bypass the traffic from entering the proxy servers by using irules on F5 Load balancer. Hence the trusted network traffic can be re routed directly to the web server through the firewall. 4.2 WEB SERVER ACCESS THROUGH THE F5-LOAD BALANCER F5-load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications. They improve the overall performance of applications by decreasing the burden on servers associated with managing and maintaining application and network sessions, as well as by performing applicationspecific tasks. Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP. Requests are received by both types of load balancers and they are distributed to a particular server based on a configured algorithm. Some industry standard algorithms are: Round robin. Weighted round robin. Least connections. Least response time.

3 69 Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter. Load balancers ensure reliability and availability by monitoring the "health" of web applications and only sending requests to servers and applications that can respond in a timely manner. BIG-IP network appliance was originally a network load balancer F5's BIG-IP product which is based on a network appliance (either virtual or physical) that runs F5's Traffic Management Operating System (TMOS), which runs on top of Linux. Figure 4.1 Existing architecture of web server access through the F5-load balancer

4 70 in the Figure 4.1. Web application hosted and access architecture is illustrated above 1. The traffic from customer WAN link is entering the F5 load balancer through the interface And the customer traffic was moving to proxy servers 01 and 02through Load balancer interface 02 and via switch Once the content scanning is done by proxy server, the traffic is comes back to load balancer via the interface 03 through switch Then the scanned traffic received by load balancer from proxy servers is being sent to the Web server via the interface 01 through the firewall. 4.3 DESIGN AND IMPLEMENTATION OF IRULES ON F5- LOAD BALANCER The traffic can be diverted from entering the proxy servers by configuring an irules wherein a Data group (class) is applied which matches traffic based on networks/hosts or destination URLs. An irule is a userwritten script that controls the behavior of a connection passing through the LTM system. irules are an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. classbypassproxyips_http { host<ip Address> host<ip Address> host<ip Address> network<ip Address>/<PORT>

5 71 host<ip Address> } rulebypassfordesturl { when HTTP_REQUEST { if { [matchclass [ equals $::BypassProxyDestURLs ] } { pool firewall-pool } else { pool bluecoat-proxies-http } } } rule ByPassProxyForHTTP-2.0 { when HTTP_REQUEST { if { [matchclass [ equals $::BypassProxyDestURLs ] } { pool firewall-pool } else { pool bluecoat-proxies-http } } Above written irules function as follows to direct the connections to firewall instead of routing to the proxy servers. IRule:ByPassProxyForHTTP-2.0 has to be created and applied on Virtual server: wildcard-http and wildcard-https. The Bypass list: BypassProxyIPs_http is used to mention the IRule to match the traffic (source IP address of the packets) coming from trusted users WAN link. If the packet s source IP addresses matches with any of the IP address/networks entries in the said Bypass list, the traffic will be directly forwarded to server via the firewall. If the incoming packet s source IP address is not matched with any of the entries in the Bypass list, then the packet will be moved towards the proxy server and it will be scanned for vulnerabilities and then comes back to load balancer and then be forwarded to the server.

6 72 Added all the trusted users machine IP addresses to this bypass list: BypassProxyIPs On adding IP address/network addresses to this by pass list, traffic for any URL matching this bypass list won t be forwarded to proxy server and be forwarded to the respective servers directly from the Load balancer through the firewall. There is one more IRule: BypassProxyDestURLsto be configured on the Load balancer with the Bypass list: BypassProxyDestURLs applied to IRule which matches the destination URL in the packet it received from Users wan link and the corresponding action to be taken. Figure 4.2 represents the proposed architecture of web server access after configuring irules on F5-load balancer. Figure 4.2 Proposed architecture of web server access after configuring irules on F5-load balancer

7 73 Various components that appeared in the proposed architecture have already been discussed in the chapter1. Advantages of this Methodology 1. Performances of the Web server/applications access are improved. 2. Easily customization of irules by adding or removing the trusted network IP addresses. 3. Improvement in the overall performance of the web server/applications access by configuring irules on F5-load Balancer to bypass the proxy servers and can directly access to the destination server. 4. By doing this, additional latency has been avoided for certain trusted users/network IP s. 5. The traffic can be diverted from entering the proxy servers by configuring an irules where in a data group (class) is applied which matches traffic based on networks/hosts or destination URLs. 4.4 AN EFFECTIVE DATA TRANSMISSION IN INTERNET USING IDS TO IMPROVE THE PERFORMANCE OF WEB APPLICATION Need for Proposed Methodology After implementing traffic bypassing using F5-load balancer, the scholar may come across the situations of security violation in the network and anonymous users can access the web server. For this reason, the research

8 74 scholar implemented the NS-IDS security system in the web server to restrict the access of anonymous users from the network. The potential damage imposed by remote attacks launched via internet is only because of the serious dependence on the internet and worldwide connectivity. The type of IDS network based is host based intrusion detection in the system. Among them one type perceives the malicious activity based looking for the particular signature of previously recognized threats. It helps to reduce the Malware and virus functionality in the System. Other types of IDS are based on comparison of the network traffic based patterns against a baseline looking for some anomalies.some IDS are meant for just monitoring alerting. Some IDS are empowered to take action on the detected threat.ips is a technology that has the relation between firewall and IDS. IPS is also a firewall which unties network IDS that secures the network. It seems to get an impression that as time given firewall, IDS and IPS avail muse attributes from each other cases the time ever muse, presently firewall is trust wall boundary protection. Excellent practices home sign advise that one firewall. A setting shall operate configured to deny or whenever necessary open up host. Port should be opened for host web an port 21 for FTP web server, even though the port are important from a part of view that makes a new way to enter into your network maliciously breaking up firewall settings. This is where IDS connection, implements NS-IDS access the alone network, or otherwise a HIDS to a particular device. IDS observe the in wizard and out wizard traffic and recognized suspicious and malicious traffic which might have crossed the firewall protection. Sometimes IDS may give a false alarm despite they protect the network from the attacks of malicious activities. The IDS solution may be turned when it is trusts installed are proper configuration is needed to

9 75 configure normal traffic on the network and the administrator is responsible for responding to the IDS alters when a suspicious malicious attack is. The IDS fall in the category of simple inspection trail method, or a sort out method by means of a traffic control system, similar to screening routers, packet filters, firewalls, etc. Logging utility is sometimes meant as a result of IDS by some people. Security is organized for IDSs to lessen the inadequacy of uni-modal biometric systems. In view of the fact that each device in the network has certain restrictions, for observation, need to choose more than one device in the network, and that observations is used to enhance observation accuracy. This observation accuracy is used for the system which decides whether user authentication (or IDS input) is requisite. The IDS should be chosen based on the security posture. So, the Network can function in a fully secured manner by IDS as well as by each authentication device Back Ground of the Proposed Work An On-Demand Secure Routing Protocol Resilient to Byzantine Failures It presents a novel dependable multicast protocol that accepts informed faults, which includes byzantine faults. This protocol is made up with new way of structuring secured protocol that is based on the firewall known hybrid failure model. Irrespective of position about arbitrary failure resistance, the protocol may not be necessary getting the cost of agreement in number of contributors are message interfaces it depends on the subsistence of a simple distributed security kernel. In the TCCB, the participants can work at critical parts of the protocol process, firewall the protection of a crash fire line model or otherwise participants follow an arbitrary fire line model. The TTCB provides some basic services, which allows the protocol to have some effectiveness in relation to that of accident fault tolerant protocols, for faults one protocol needs F+2process as an alternative of 3F+1 is by system. In

10 76 addition to that, the TTCB permits secured and protected operation of timed protocols, even though the unpredictability in time behaviors of the environment. A Test-Bed for Misbehavior Detection in Mobile Ad-Hoc Networks By following the defect observation mechanism detect the system has been nominated in mobile ad-hoc network. This system is called watchdogs, the research scholar is interested to apply and utilized the abilities of a watch dog detective is real time network, because those approaches can only be evaluated in simulations and restricted to set firewall packet dropping test based implementation of misbehaviors detection is practiced in thing paper. This test-bed explains the evaluation of bush feasibility and the ability to learn the attacks on routing in DARP. Dynamic some we routing protocol.to supplement muse capabilities passive acknowledgement is extended by utilizing the procedure for partial dropping packet modulation. The intrusion identification empowered by combination DSR with set filter and APE.in this paper the scholar presents the implantation result of both attackers an detection their shows achievability and constraints. Improving Wireless Simulation through Noise Modeling In this thesis work it is recommended that modeling environmental noise improves the wireless simulation with way of simulates the wireless packet delivery efficiently are muse accurately noise traces one determines in lots of different environments are these algorithms are proposed to simulated noise from the traces data remained. The performances of these three algorithms evaluated are evaluation of signal to noise curves in comparison with existing simulation used in Emstar, TOSSIM and NS2.They are evaluated by the Kantorovich- Wasserstein distance on conditional packet delivery function and used to measure the simulation accuracy. This noise

11 77 model can detain complex temporal dynamics in which the practicing approaches don t increase the packet simulation fidelity a factor f 2 f links, a factor of 1.5 for has links are factor of 5 for intermediate linker since are models are resulting from real-world traces they shall be created for so many different environments. An Acknowledgment-Based Approach for the Detection of Routing Misbehavior in MANETs The study of misbehavior of routing in mobile ad-hoc networks are discussed in this paper. Usually, the routing protocols in MANETs have completely cooperative nodes. Contrary to that, as a result of the barely obtainable battery based energy and node misbehaviors shall exist. One of such misbehaviors is to enable some selfish nodes to take part in the route discovery and route maintenance processes but that node is not to participate with data transmission which means it refers to forward the data packets. This paper is meant to propose the 2ACK scheme that dishes up as a tag on procedure for routing schemes to interpret routing misbehavior and to alleviate their unfavorable. The idea and logic behind 2ACK scheme is to send two hops acknowledgement packet in the reverse direction of the routing path. Having an intention of decreasing extra routing overhead, only a small part of the received data packets are acknowledged in the 2ACK scheme. The performance of the proposed scheme is evaluated by systematic and simulation results Difficulties in Existing Systems Numerous exploitations effect in missed intrusions and network vulnerabilities. The missed intrusions are mainly happening in the environments are the following:

12 78 Heavy traffic networks: In these environments the IDS sensor is overloaded by the high amount of traffic because of that the intrusion traffic is fail to notice. (1) Switched networks: In the switched networks environments a NS-IDS requires to observe the traffic on each switch segment. There is no ultimate location to connect NS-IDS and switch SPAN ports in switched networks. So, NS-IDS can't keep up with all the traffic lying on the switch. Deploying NS-IDS on each segment is unaffordable in many environments, thus leaving segments unprotected. (2) Asymmetrical networks: The traffic can pass through multiple paths before it reaches the NS-IDS in the asymmetrical networks. The NS-IDS will only see piece of the conversation (flow); therefore missing an attack. NS-IDS require seeing a complete conversation (flow) with the aim of determine if an intrusion is there. (3) Network Availability: Network availability means that the ability of network to react to the requests made by whom they are accessing the network. Network availability is a crucial factor in network security. Since businesses level their networks to accommodate enlargement and amplify resilience, they have to look to level the security infrastructure to preserve and make sure the network availability. (4) Scalability: Scalability is a talent of a network to carry on its function fine as the node attached in the network. Because a network infrastructure which does not have NS-IDS environment must accommodate the growth scalability. It is leaving the network unfasten to intrusions and network performance degradation.

13 79 (5) Resilience: Resilience is the capable of the network to give and sustain the acceptable level of service even though any faults happen in the normal operation. The high network availability is ensured by redundant network deployment. So, redundant NS-IDS are needed to make sure intrusions don t crash network availability Proposed Methodology NS-IDS: Network Intrusion Detection Systems is used in the network to observe traffic to and from, all devices on the network. Preferably all inbound and outbound traffic can be scanned; On the other hand doing so may generate a bottleneck that will weaken the on the whole speed of the network. Deployment Issues Resolved 100% Network Coverage and High Availability Load balancing component would recognize the traffic exchanges used to address the deployment issues. That particular device can intelligibly supplement and forward traffic to NS-IDS to make sure and confirm that the network intrusions are detected and the network is very much available 100% network intrusion coverage challenges are NS-IDS deployment issues crash a NS-IDS capability to work on the intrusion and often 100% coverage against network intrusions. The following sections shall give a wide and general idea that the challenges with NS-IDS in terms of performance, switched and asymmetrical routed networks NS-IDS Performance Challenges The performance is the most notorious problem in the context of NS-IDS why because it is very difficult to estimate. NS-IDS are using Pattern

14 80 Matching or Protocol Analysis, or a mixture of the two to execute the sensor on Linux, Windows, Solaris or hybrid. The followings are some of the constituents need to consider: Amount of encrypted traffic running. Size of the packet being used. Type of the policy running. Amount of alerts being generated. Amount of responses triggering to each alert. The NS-IDS has two main stream versions, they are: a 100MB sensor (able of monitoring up to 100MB/s) and a Gigabit sensor (able of monitoring anywhere from 300MB to 800MB). Even though both types of NS-IDS utilize the same high-level logic to seem for attacks (either Protocol Analysis, or Pattern Matching, or a combination of both). The major difference between the two is in the method used to examine the captured packets. Actually, the problem is not the amount of attacks detected by NS-IDS; the problem is how effectively the NS-IDS can single out one attack in the context of bulk background traffic. Often the NS-IDS have a problem to deal with mass of attacks, other than this the proverbial finding a needle in a haystack. Detection of mass attack is difficult while SSL (Secure Socket Layer) traffic is engaged, why because the encrypted traffic cannot read by NS-IDS. So, in this situation, the NS-IDS wastes the valuable CPU cycles and also it is realizing that it do nothing with the traffic.

15 81 Second parameter which is used to analyze the performance of the NS-IDS is packet size. NS-IDS seller used to select the average packet size of 1024 bytes, On the other hand, if the size of the packet is small, the NS-IDS run in a slowly manner. Third key parameter is used to analyze the performance of the NS-IDS is how fast it runs the policy which is running in the NS-IDS. Usually NS-IDS have hundreds of attack signatures which is used by NS-IDS at any given time. NS-IDS looking for more signatures in a stream of data means then it will take longer time to view the next stream. These modes of performance analysis are more critical for pattern matching system that those are using protocol analysis; several variables are there to evaluate the prefect performance of NS-IDS. Other than this, normally on a 10/100 MB sensor can expect MB/s controlled and monitored and on a gigabit sensor and it is approximately MB/s. The scholar understands that an act of 100 MB, 60-80% of utilization and 40-60% of utilization on a gigabit segment is used. So these NS-IDS would not monitor a whole segment. The environment in which these devices are originally designed is the important thing Design and Implementation NS-IDS monitor the system, not exclusively the network traffic, the agent placed on the client as a part of application. Rationally, NIDS sensor and NS-IDS work as a same manner, between the quality and external network. Still, as an alternative of technologies being a network device, the HIDS is a software cover through which the traffic must pass to get to the service.

16 82 Figure 4.3 IDS System Architecture A NS-IDS is devised to watch individual segments, for instance off a Network. So just enclose NS-IDS to one of the ports on the hub and one shall be able to monitor all of the communication that goes on in that segment. In this classical type of architecture one can look forward to achieve a 40% utilization of the 100 MB/S available. This means that the 40-60% utilization can be achieved on 100 MB sensor is actually not a big issue. The issues really start when a user increases this utilization via the use of web server. The investment on Intrusion detection system based on networking is a legitimate investment to protect the enterprise. Network-based Intrusion Detection Systems are very valid investments. The IDS balancer from top layer networks presents the most widespread benefits in NS-IDS deployments to protect enterprise.

17 83 Figure 4.4 Usage of IDS installation Management station using IDS for monitor activities of system as well as network system malicious process and it generate reports. IDPS (Intrusion detection and prevention systems) are mainly focused on identifying incidents of possible, logging data, and exposure attempts various systems may endeavor to prevent an intrusion attempt but this is expected of a monitoring system process. Generally existing document threats, finding harms with security policies, and deter those from violate security policies these are some uses of IPSec for other purposes in organization process. Every organization must have necessary addition to the security infrastructure with the help of IPSec (Figure 4.4). Assure pure intrusion coverage Check easy to organize in composite platforms IPSec gives the ability to supervise multiple segments with single sensor, so giving a greater return on existing investments

18 84 High level of idleness. Secure the sensor from attacks. Utmost accessibility in network Network Security with Intrusion Detection System (NS-IDS) NS-IDS consist of sensors which present on servers/workstations to check attacks/intruder on a particular machine. NS-IDS can make decisions based home settings, log data and properties specification on an OS. Compared with some other IDS configurations, various devices which present in NS-IDS, to sensor / agent, are located on or close to host, such as a workstation / application service. For record, the events and possibly correlate to event data is sent to logging services to them with other events. NS-IDS agents can locate on frequent host types. A server is usually a system to commit running a service in which host connects to, transmit, or accept data, such as internet, Mail. A client works as the workstation, such as computer, in which a user can connect to other machines. Server has an application service for it running process, such as a web service / database application. Because each system operates a different operating system like Windows Series, or Linux etc, the types of harms that will affect the system are precise to these hosts Performance Evaluation Three main classification of which exists in this experiment is to serve and led the bifurcated form of original schemes. First, much sensitive performance measurements for rules set and packet content. Even though it may have high dispiriting, the system identified the grade of accuracy appears designate in most bounded cases. While the quantifications of this comparison

19 85 has been away from the purpose of process, results so far propose that it would be possible to experiment with randomized payloads or random rule sets, at the cost of some measurements errors. System generates some believable as well as some useful outcome considering these errors into account. During full packet, traces conceal all private data although being significantly less and more convenient than full packet traces. So this system considers that this process made it lazy for researchers to use NS-IDS traffic traces. Second, it generates perceptive traffic personality and processor design. System calculates equated significant variation in mutually the standard per-packet cost. Thus the estimation shows that the system enlarged in information transmission with security. The Figure 4.4 shows the efficiency. Figure 4.5 Effectiveness of data transmission with IDS Finally, when there are attackers, Scholar calculated the efficiency of WD, who contributes in the path identification process as ordinary nodes but fall of all traditional data packets. The scholar designed the model which

20 86 has 10 malicious network nodes and or deletes much number data packets. It is notable; information for malicious node identifying process is harder when they drop selectively. Figure 4.6 Network Throughput Therefore, the design attack was easy to face challenges for an Intrusion Detection system. Figure 4.5 shows throughput of network when the simulation time of 600 seconds, which 10 malicious nodes delete or remove all expected data or information packets. Devoid of WD, the efficiency of

21 87 network initial at simulation time of 600 seconds degrades to 40% in the network density and to 46 % in the less network density. If the system has high density network, with WD active, the throughput for network is increased between the range of 53.3 and 90.1 kbps with regular backdrop noise, and from 54.7 to 65.8 kbps with backdrop noise. In the low-density system, conversely, WD doesn t moderate the contact of the intruder or attacker, particularly when NS-IDS noise model is used. 4.5 SUMMARY The performance of the web server/applications access has been improved by configuring irules on F5-load balancer to bypass the proxy servers and can directly access to the destination server. With this, additional latency will be avoided for certain trusted users/network IPs. The traffic can be diverted from entering the proxy servers by configuring an irules where in a data group (class) is applied which matches traffic based on networks/hosts or destination URLs. Users experienced more flexibility in accessing the web applications. Also, the NS-IDS implementation in the web server has achieved the network security. Using NS-IDS is effective, in transmit packet in high protected mode throughout network is proved by comparing the existing systems. By utilizing this system or technology, recently deployed in several profitable IDS, will apply wide period evaluating sessions for which an attack didn t arise. Hence, anonymous or malicious users can not be intruding in the web server that ensures the high reliable network in the N-tier architecture.