High Availability Solutions & Technology for NetScreen s Security Systems



Similar documents
Astaro Deployment Guide High Availability Options Clustering and Hot Standby

Cisco Application Networking Manager Version 2.0

NetScreen-5GT Announcement Frequently Asked Questions (FAQ)

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Networking and High Availability

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

HA OVERVIEW. FortiGate FortiOS v3.0 MR5.

WhatsUp Gold v11 Features Overview

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

Reliable high throughput data connections with low-cost & diverse transport technologies

ENC Enterprise Network Center. Intuitive, Real-time Monitoring and Management of Distributed Devices. Benefits. Access anytime, anywhere

High Availability Failover Optimization Tuning HA Timers PAN-OS 6.0.0

Truffle Broadband Bonding Network Appliance

Networking and High Availability

Scaling Next-Generation Firewalls with Citrix NetScaler

FortiGate High Availability Overview Technical Note

Network Configuration Example

Clustering. Configuration Guide IPSO 6.2

Ranch Networks for Hosted Data Centers

DOMINO Broadband Bonding Network

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

High Availability at the Central Site Edge

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Whitepaper Continuous Availability Suite: Neverfail Solution Architecture

Network Management System (NMS) FAQ

Application Note Gigabit Ethernet Port Modes

WAN Traffic Management with PowerLink Pro100

Virtualized Security: The Next Generation of Consolidation

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Cisco SFS 7000D Series InfiniBand Server Switches

Layer 3 Network + Dedicated Internet Connectivity

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

APV9650. Application Delivery Controller

WHITE PAPER September CA Nimsoft For Network Monitoring

Network Security Firewall

Barracuda Link Balancer

WAN Optimization. Riverbed Steelhead Appliances

WHITE PAPER OCTOBER CA Unified Infrastructure Management for Networks

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

DOWNTIME CAN SPELL DISASTER

Cover. White Paper. (nchronos 4.1)

Cisco ASA 5500 Series Firewall Edition for the Enterprise

Cisco ASA 5500 Series Firewall Edition for the Enterprise

Configuring and Implementing A10

High Availability. FortiOS Handbook v3 for FortiOS 4.0 MR3

High Availability. PAN-OS Administrator s Guide. Version 7.0

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

Virtual PortChannels: Building Networks without Spanning Tree Protocol

White Paper: Virtual Leased Line

The Hybrid Enterprise. Enhance network performance and build your hybrid WAN

Vyatta Network OS for Network Virtualization

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

WhatsUp Gold v11 Features Overview

SolarWinds Certified Professional. Exam Preparation Guide

CENTRAL CONTROL FACILITY (CCF) DESIGN AND LATEST DATA CENTER PRACTICES

Group Member Access LCH.Clearnet Ltd Network Connectivity Guide (BT Radianz)

SapphireIMS 4.0 BSM Feature Specification


Fortinet Network Security NSE4 test questions and answers:

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Executive Summary and Purpose

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

Fail-Safe IPS Integration with Bypass Technology

Next Generation Network Firewall

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Cisco Active Network Abstraction Gateway High Availability Solution

VERITAS Storage Foundation 4.3 for Windows

APV x600 Series. Application Delivery Controller APV1600, APV2600, APV4600, APV5600, APV6600, APV8600, APV9600

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Tk20 Network Infrastructure

Juniper Networks Integrated Firewall and IPSec VPN Evaluators Guide

Cisco Bandwidth Quality Manager 3.1

Blue Coat Systems. PacketShaper Redundant Setup

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

TimePictra Release 10.0

White Paper ClearSCADA Architecture

Introduction. Technology background

Mail-SeCure Load Balancing

Wireless Video Best Practices Guide

IP Telephony Management

Deploying a Secure Wireless VoIP Solution in Healthcare

Opengear Technical Note

How To Configure Syslog over VPN

Virtualized Network Services SDN solution for enterprises

Ixia xstream TM 10. Aggregation, Filtering, and Load Balancing for qgbe/10gbe Networks. Aggregation and Filtering DATA SHEET

Achieving High Availability & Rapid Disaster Recovery in a Microsoft Exchange IP SAN April 2006

Configuring Active/Active HA Tech Note PAN-OS 4.0

Cisco AnyConnect Secure Mobility Solution Guide

SanDisk ION Accelerator High Availability

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Support of Windows Server 2012 The NCP Secure Enterprise VPN Server supports the Windows Server 2012 (64 bit) operating system.

IPCOM S Series Functions Overview

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Transcription:

High Availability Solutions & Technology for NetScreen s Security Systems Features and Benefits A White Paper By NetScreen Technologies Inc. http://www.netscreen.com

INTRODUCTION...3 RESILIENCE...3 SCALABLE PERFORMANCE...6 SOPHISTICATED, YET EASY TO USE MANAGEMENT...8 SUMMARY...9 Copyright 2001 NetScreen Technologies Inc. 2

Introduction Service providers and enterprises that deliver revenue-generating services over the Internet face a myriad of performance and security challenges. However critical those challenges may be, high availability (HA) remains the paramount concern. If the network does not remain available to customers and end-users, then the financial foundation of the company is placed at risk. A well-designed infrastructure security system needs to offer HA tools to create a resilient, scalable, and easy to manage solution. NetScreen Technologies delivers a line of purpose-built security systems that integrate firewall and VPN functions together with a set of HA tools, all within a single, comprehensive, high-performance platform. This white paper describes the main features and benefits of the NetScreen Redundancy Protocol (NSRP) version 2. NSRP is the name given to the set of protocols, features and tools that NetScreen devices use to achieve High Availability. The NSRP v2 protocol will be supported on NetScreen s security systems: the NetScreen-1000 and the NetScreen-500. The existing NSRP protocol will continue to be supported on the NetScreen-100. NetScreen s Approach NetScreen has delivered some of the industry s highest performance firewall/vpn solutions. NetScreen now takes another leadership position by providing one of the industry s most comprehensive solutions for HA and scalable bandwidth within the network s security layer. Within NetScreen ScreenOS, the firmware that powers the NetScreen Security Systems and Appliances, NetScreen has developed a suite of protocols and tools that empower next generation network architects with the best HA and scalability solution available. Key Points NetScreen has focused on these three areas of design for NSRP v2: Resilience Designed for environments where the goal is maximum uptime on production networks Even during two, opposite path points of simultaneous failure Scalable Performance - The clustering of NetScreen systems to secure multiple gigabit throughput Sophisticated, yet easy to use Management - Changes propagate across the entire cluster configuration and reporting provided by WebUI, CLI, NetScreen-Global PRO, SNMP, Syslog Resilience NSRP, combined with redundancy in the surrounding networking devices, enables the security layer in the network to be very resilient, operating with five 9s (99.999%) uptime. This is achieved in the following manner: Redundancy for Stateful Connections NSRP ensures the network security function never disappears, regardless of the types of failures that may occur. NSRP was designed to maintain the secure flow of traffic through a redundant network even in the unlikely event of two simultaneous device failures on opposite sides of the network. An example is depicted below in Figure 1. Figure 1: Active Connections Maintained During a Simultaneous, Two Device Failure Copyright 2001 NetScreen Technologies Inc. 3

In such an event, active connections through the NetScreen device will not be lost because NSRP synchronizes all necessary session state information from one NetScreen device to its Mirror. This includes all established IPSec Security Associations (SAs) and keying material so even site-to-site and remote access VPN connections will be maintained during a failover event. Policies and configurations are also synchronized across the NSRP Cluster so each device in the cluster knows the job it is to perform should it become a Master. Leaderless Clustering with No Common Resource No one element within an NSRP Cluster is a single point of failure. Devices share no common resources, no special switching apparatus, no fixed brain of the operation. On the contrary, each individual device holds all that will be needed to fulfill the duty of the cluster on its own. It is true that at any point in time there will be a Master for a given backup group. But that Master has no special characteristics other than being configured with the best preferences and all its Path Monitors are reporting solid health in the surrounding network. That Master can be lost at any point, and another in the cluster will immediately pick up its role and continue to process the active connections appropriately. Sub-second Failover NSRP enabled devices can register a failure, react, and the Primary Backup device can commence processing active connections in one second or less. This is achieved for failures where the Master can alert the rest of the NSRP cluster and step down. An example of such a failure is the loss of Ethernet link connectivity on a monitored interface, either due to a cable failure, NetScreen port failure, or adjacent device failure. Highly configurable Path Monitoring features also allow NetScreen devices to detect failures in the surrounding network and take corrective action immediately. Path Monitors can be set to detect datalink (Layer 2) failures in Ethernet connectivity or network (Layer 3) failures in IP connectivity. Administrators can tune the definitions of failure as appropriate for their networks. Once failure thresholds have been triggered, a failover event will occur. Path Monitoring s ability to actively assess the health of the surrounding environment provides a critical first step to minimizing network downtime. In addition, the master election process in a backup group will pre-elect a Primary Backup. By preelecting the new master before a failover event actually occurs, the time required to failover is only slightly longer than the time required to detect the master s ineligibility. Detection and recovery can be anywhere from less than one second, if a Master voluntarily relinquishes its role, to just over a second, if a Master fails without notifying the group and the thresholds are set to their minimums. Administrators can further engineer the expected failover time by altering heartbeat intervals and failure thresholds. Full Mesh Topology, Redundant Physical Paths Even with sub-second failover a network architect still wants to avoid device-to-device failover whenever possible. NSRP v2, combined with the redundant physical port options on NetScreen-1000 and NetScreen-500 systems, allows network operators to provide redundant physical paths through ingress and egress switching fabrics. When NetScreen devices are connected to switching fabrics using only one link each, a failure in the switching fabric, or the connectivity to it, necessitates a failover between the NetScreen devices, leaving one device operational. Such an example is shown below in Figure 2 and Figure 3. Copyright 2001 NetScreen Technologies Inc. 4

Total Throughput up to 4 Gbps Processed by Processed by Figure 2: Up to 4 Gbps Total Throughput using Active/Active and Single Links Total Throughput up to 2 Gbps Figure 3: Throughput Halved During Switch Failure in Single Port Topology Using redundant links in NSRP v2, both NetScreen devices will remain active and functional when a device, cable, or port in the adjacent switching fabrics fails. In Figure 4, has failed. Using Path Monitoring, the bottom NetScreen device,, detects the loss of Ethernet link on its lower port, the one hosting the connection to. Knowing that its link on the upper port, connecting it to, is operational, it immediately begins using this second port to send and receive traffic associated with its virtual interfaces. By simply choosing the backup port, remains active in processing its share of the network load, and network performance continues without degradation, as long as can handle the total bandwidth. With the ability to use redundant physical interfaces, NSRP ensures all NetScreen devices continue their work of enforcing network security and maintaining optimal throughput even when failures in the surrounding topology occur. Copyright 2001 NetScreen Technologies Inc. 5

Total Throughput = 4 Gbps Figure 4. Failure with Dual Physical Ports in a Mesh Topology With dual physical ports in a mesh topology, if an adjacent link or device fails, the backup link is used and full throughput is maintained. Scalable Performance NSRP provides total resilience to the security solution, and does so without sacrificing speed and throughput in high performance, high bandwidth networks. In fact, NSRP s design allows for scalable throughput in the security layer of the network by using clustering features. Active/Active In NSRP v2 NetScreen devices may be run in Active/Active load sharing mode. In the previous NSRP implementation each NetScreen device could only participate in one redundancy group at a time. Thus, with a two device group, the device operating as master would be actively processing all the production traffic, while the backup device remained a hot stand-by, poised to take over if needed, but not sharing any of the processing burden. This mode of operation is called Active/Passive (See Figure 5). Active Master 10.1.1.1 All hosts use 10.1.1.1 as their default gateway. Backup 10.1.1.1 Figure 5: Active/Passive Configuration Active/Passive configuration protects against all single points of failure, however all network traffic is borne by one device. NSRP now allows for a single device to operate in multiple backup groups (called a VSD group) simultaneously. Each device may act as a Master in one backup group, while simultaneously serving as a backup in others. The network would then be engineered so that half of the protected hosts use as their default gateway while the other half use as their default gateway. In this way, the two devices will both be processing active network traffic load at the same time. Copyright 2001 NetScreen Technologies Inc. 6

Active Master VSD 1 10.1.1.1 Backup VSD 2 Half the hosts use (10.1.1.1) as their default gateway,while the remaining half use (10.1.1.2) Active Master VSD 2-10.1.1.2 Backup VSD 1 Figure 6: Active/Active Configuration Active/Active configurations allow for the network traffic load to be shared across multiple devices. Half the devices use (10.1.1.1) as their default gateway, while the remaining half uses (10.1.1.2). Performance Gains Since NetScreen devices may be run in Active/Active mode the network security layer may now be scaled to achieve linear throughput gains. Adding another NetScreen device and configuring the cluster to operate in Active/Active fashion will lead to a significant bandwidth increase. 2 Gbps Load Balancing Switches Load Balancing Switches 2 Gbps 2 Gbps NS3 NS 4 2 Gbps Figure 7: Four NetScreen-1000 Systems Running Active/Active Provides 8 Gbps Using Active/Active, adding a 3 rd and 4 th NetScreen device raises the total security capacity from 4 to 8 Gigabits per second. Load balancing switches may be used to ease the effort of distributing traffic across all four devices. In Active/Passive configuration the maximum bandwidth possible for the security layer is equal to the maximum bandwidth potential of a single device. While NetScreen-1000 devices perform stateful inspection access control at a full 2 Gbps (700 Mbps for the NetScreen-500), many sites still need faster throughput. With Active/Active configuration, each device added offers its full bandwidth potential. As long as the total allowable capacity parameters are not exceeded (for example, the total session count across the Mirror pair does not exceed 500,000, which is the single device maximum for a NetScreen-1000), an additional NetScreen device can be added to a cluster Group and provide significant throughput gains. Load Sharing & Load Balancing Load sharing refers to the ability for two devices to somehow split the traffic load so that both are simultaneously contributing to the cause (Active/Active configuration). At any given time the distribution Copyright 2001 NetScreen Technologies Inc. 7

will most likely not be equal, unless specific engineering pains have been taken to make it equal. The distribution in load sharing may vary over time samples. It may be something like 70/30 or 60/40 or 50/50, depending on the network implementation and use patterns at the time of measurement. Load balancing, on the other hand, can be more technically advantageous than load sharing. Load balancing aims to distribute the processing load as evenly as possible across all the available devices at all times. If, for example, four NetScreen devices exist in the security layer and process an average of N connections per second, load balancing seeks to constantly maintain an allocation of N/4 concurrent connections per second to each NetScreen device. Master VSD 1 Backup VSD 2 Load Balancing Switches LB1 MasterVSD 2 Backup VSD 1 Load Balancing Switches LB3 LB2 Master VSD 3 Backup VSD 4 NS3 Master VSD 4 Backup VSD 3 LB4 NS 4 Figure 8: Load Balancing NetScreen Systems Load balancers sandwich a set of four NetScreen devices, evenly distributing the connections between them. Briefly explained, a set of load balancing switches makes (in this case) four NetScreen devices look like one device to both the outside and inside world. When the load balancers see a new connection they will use a distribution algorithm to decide which NetScreen device will receive the packet. Once the NetScreen device has processed the packet against the configured policy set, if permitted, the packet will be sent into the inside set of load balancing switches. Both the outside and inside load balancing devices will record the source/destination pair of the connection, and the port to which they forwarded the traffic, to ensure that the connection s response packets and subsequent packets follow the same return path. With NSRP v2, security load-balancing is no longer connectionless; the solution can be architected to preserve connections during a failover event. Sophisticated, yet easy to use Management High availability architectures add another layer of complexity to the already challenging task of managing network security solutions. The management tools of the products employed should ease the learning curve. Redundancy solutions must also provide instant and useful notifications when the cluster status changes, alerts that simplify an administrator s job of quickly identifying and resolving issues. NSRP contains such ease of use, monitoring and troubleshooting tools. Easy to Use Interface Options NSRP configuration and controls are all available from the graphical, point-and-click NetScreen ScreenOS WebUI, an HTML based management console accessible from any standard browser. Seeing the configuration options laid out in graphical format eases the implementation of the administrator s network design. However, some administrators work more fluidly on a Command Line Interface (CLI). Since the NetScreen ScreenOS CLI constitutes the foundation of commands from which all configuration scripts are produced, all NSRP options and actions may be accessed from within the CLI. The CLI also provides Copyright 2001 NetScreen Technologies Inc. 8

several troubleshooting levels that allow administrators to watch all NSRP activity as they occur in realtime. Secure Remote Management, Reporting and Alarming NSRP v2 contains a full suite of private MIB objects for retrieving counters using SNMP and detailed messages for export to Syslog. Examples of logged events include counters that increment each time a device transitions to a specific state (like Master or Inoperable), encounters a conflict for Master or Primary Backup status, or fails to receive a Hello message from a partnering device. Together the counters, event messages, and alarms form a powerful set of data for alerting to and resolving issues. As with all NetScreen ScreenOS, any of the above methods of management may be accessed remotely and securely. Any method may be sent through an IPSec tunnel. In addition, the WebUI may be accessed using SSL and the CLI may be accessed using Secure Command Shell, which is ssh v1 compliant. Summary Increasingly, successful service providers and large enterprises are looking to leverage the public Internet to provide more value added services to their customers, and to gain more cost-effective business communications. Increased usage has lead to Internet connectivity at speeds of 1 Gbps and greater. Securing any Internet accessible network is essential, and even more so in those operating revenue generating services. A well designed security solution for these demanding networks is one that provides security, complete redundancy, and scalable performance, all with exceptional ease of management. NetScreen s line of purpose-built, security hardened products deliver unparalleled, single-device performance. With NSRP v2, as part of the NetScreen ScreenOS, NetScreen also delivers the components necessary to build and secure and highly available infrastructure. Redundant links for full-mesh topologies, sub-second and stateful failover, Path Monitoring and a secured control protocol all join to provide complete resilience for the security layer. Scalable performance is delivered with Active/Active load sharing that yields significant efficiencies. SNMP MIBs and event messages, and large scale, secure remote management work together to create a solution that is easy to implement, manage, and monitor. By providing an integrated solution for VPN and firewall, then tying it all together with the HA tools found in NSRP v2, NetScreen devices are uniquely suited to enable resilient, scalable, easy to manage, and totally secure network infrastructures. Copyright 2001 NetScreen Technologies Inc. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information