Networking and High Availability



Similar documents
Networking and High Availability

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

Superior Disaster Recovery with Radware s Global Server Load Balancing (GSLB) Solution

AppDirector Load balancing IBM Websphere and AppXcel

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Radware s AppDirector and Microsoft Windows Terminal Services 2008 Integration Guide

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Load Balancing 101: Firewall Sandwiches

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

Automated Mitigation of the Largest and Smartest DDoS Attacks

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Coyote Point Systems White Paper

WHITE PAPER MICROSOFT LIVE COMMUNICATIONS SERVER 2005 LOAD BALANCING WITH FOUNDRY NETWORKS SERVERIRON PLATFORM

A New Approach to Developing High-Availability Server

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

High Availability. FortiOS Handbook v3 for FortiOS 4.0 MR3

5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance

Application Delivery Controller (ADC) Implementation Load Balancing Microsoft SharePoint Servers Solution Guide

Availability Digest. Redundant Load Balancing for High Availability July 2013

Load Balancing ContentKeeper With RadWare

Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards

Broadband Bonding Network Appliance TRUFFLE BBNA6401

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

NSFOCUS Web Application Firewall

IP SAN Best Practices

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

FatPipe Networks

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide

TESTING & INTEGRATION GROUP SOLUTION GUIDE

High Availability. PAN-OS Administrator s Guide. Version 7.0

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

RESILIENT NETWORK DESIGN

Barracuda Link Balancer

Networking Topology For Your System

Netsweeper Whitepaper

INTEGRATING FIREWALL SERVICES IN THE DATA CENTER NETWORK ARCHITECTURE USING SRX SERIES SERVICES GATEWAY

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Secure Web Appliance. Reverse Proxy

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

Application Note Gigabit Ethernet Port Modes

Truffle Broadband Bonding Network Appliance

EXINDA NETWORKS. Deployment Topologies

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

SURF Feed Connection Guide

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

White Paper. Complementing or Migrating MPLS Networks

Voice over IP- Session Initiation Protocol (SIP) Load Balancing in the IBM BladeCenter

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Broadband Bonding Network Appliance TRUFFLE BBNA6401

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

Installation Guide for. 10/100 to Triple-speed Port Aggregator. Model TPA-CU Doc. PUBTPACUU Rev. 1, 12/08. In-Line

Fail-Safe IPS Integration with Bypass Technology

CounterACT 7.0 Single CounterACT Appliance

Total Business Continuity with Cyberoam High Availability

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

Microsoft Lync Server Overview

Canadian Securities Exchange enhances Trading Network by adding a FIX Protocol Router Appliance

Best Practices: Pass-Through w/bypass (Bridge Mode)

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

Transparent Cache Switching Using Brocade ServerIron and Blue Coat ProxySG

Volume GAJSHIELD INFOTECH PVT LTD. Wan Failover & Load Balancing. Administrative Guide

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

SiteCelerate white paper

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

This How To Note describes one possible basic VRRP configuration.

High Availability Solutions & Technology for NetScreen s Security Systems

Implementing Microsoft Office Communications Server 2007 With Coyote Point Systems Equalizer Load Balancing

SonicOS Enhanced Release Notes

Application Note. Active Directory Federation Services deployment guide

Panorama High Availability

Flexible Routing and Load Control on Back-End Servers. Controlling the Request Load and Quality of Service

The Application Front End Understanding Next-Generation Load Balancing Appliances

axsguard Gatekeeper Internet Redundancy How To v1.2

White Paper: Broadband Bonding with Truffle PART I - Single Office Setups

Web Application Firewall

Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions

10 Things Every Web Application Firewall Should Provide Share this ebook

Barracuda Load Balancer Online Demo Guide

Cisco AnyConnect Secure Mobility Solution Guide

Transcription:

yeah SecureSphere Deployment Note Networking and High Availability Imperva SecureSphere appliances support a broad array of deployment options, enabling seamless integration into any data center environment. SecureSphere can be configured as a transparent bridge or a non-inline network monitor (sniffer). In addition, the SecureSphere Web Application Firewall supports reverse proxy and transparent proxy deployment. Because of this flexibility, customers can roll out comprehensive application-level security without changing their data center infrastructure. There is no need to reconfigure IP addresses, routing schemes, or applications allowing SecureSphere to easily drop into any network. The SecureSphere appliances protect critical business applications and database servers. Therefore, high availability is an essential customer requirement. To meet this requirement, Imperva offers a range of options that ensure business continuity and application availability. This deployment note describes several networking scenarios and the corresponding high availability configurations for each scenario, including: Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture Active-Active Failover in a Redundant Architecture Fail-open Architecture Active-Passive and Active-Active Failover with IMPVHA Protocol Link Aggregation Network Monitor (Sniffer) Configuration Non-Inline Deployment Non-Inline with Redundant Gateways Transparent and Reverse Proxy Configurations (Web Application Firewall only) Load Balancer Integration Active-Passive Failover This note also describes the criteria customers can use to determine the best network and high availability configuration for their environment.

Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture In this scenario, two SecureSphere gateways are deployed in an existing highly available architecture. Since each SecureSphere gateway is configured as a layer 2 bridge, any failure to SecureSphere appears to the network simply as if a switch port has failed. Connected devices would recognize that the SecureSphere gateway was not reachable and would automatically redirect traffic around it. Data inspection and analysis is performed through a powerful Transparent Inspection engine, so SecureSphere does not need to terminate or rewrite HTTP requests. TCP connections are negotiated directly between the client and the back-end server. Therefore, a failover event does not disrupt TCP connections or affect user sessions. Active-Active Failover in a Redundant Architecture In this deployment scenario, redundant SecureSphere gateways are again deployed in an existing highly available architecture. The only difference is that both gateways transmit traffic simultaneously. Since SecureSphere is configured as a layer 2 bridge, any failure to SecureSphere appears to the network simply as if a switch port has failed. Connected devices would recognize that the SecureSphere gateway was not reachable and would automatically redirect traffic around it. As a bridge, SecureSphere transparently inspects traffic without terminating TCP connections. So a failover event does not affect user sessions or disrupt TCP connections between the web or database server and the client. Since one SecureSphere gateway has failed, total network capacity will be reduced until the failure is corrected. Imperva Page 2

Fail-open Architecture Fail-open bridge configuration preserves uptime without the cost or management effort of building a redundant architecture. In this scenario, SecureSphere is deployed inline in front of the protected application servers. In the event of a software, hardware, or power failure, SecureSphere s specialized network interface card will detect the failure and physically complete the connection through the SecureSphere gateway. The NIC card will fail open in milliseconds, minimizing network downtime. However, application servers will not be monitored or protected from attacks until the SecureSphere gateway resumes operations. Active-Passive and Active-Active Failover with IMPVHA Protocol Imperva developed a proprietary redundancy protocol for environments that do not have a redundant network architecture and Spanning Tree Protocol (STP) cannot be implemented. For some customers, STP convergence times may be unacceptably long or STP may conflict with existing protocols, such as Rapid Spanning Tree Protocol. For these situations, the Imperva High Availability (IMPVHA) protocol is the ideal solution. With IMPVHA, two SecureSphere gateways can be configured as layer 2 bridges in either active-passive or active-active mode. The configuration and failover mechanism is similar to VRRP, except that when a failover occurs, the backup device informs connected devices to redirect traffic via ARP requests rather than assuming the primary device s IP address. When an IMPVHA pair is deployed, the backup gateway will send periodic loopcheck broadcast messages. If no response is received within the configurable failover time (default is 0.5 seconds), the backup gateway will become active. Since a SecureSphere gateway supports two bridges through its four network interface cards, it is possible to configure one bridge as the IMPVHA primary for one network and the second bridge as a backup for another network. In this configuration, two SecureSphere gateways can support an active-active failover configuration. Imperva Page 3

Link Aggregation One or more SecureSphere gateways can support link aggregation. For example, two interfaces on a SecureSphere gateway can be connected to two interfaces on a network load balancer. Traffic can pass through both connections. For example, uplink traffic can travel through the first interface card while downlink traffic goes through the second interface card. In bridging mode, each SecureSphere gateway includes four network interfaces for application security. So it is possible to aggregate traffic through two connections. If the load balancer has 100Mbps Fast Ethernet interfaces, then aggregating links can also increase total throughput. Even if the traffic is split between the two segments, SecureSphere can accurately inspect all traffic and block attacks. If an Ethernet cable is disconnected or a network interface fails, then traffic will continue to be forwarded through the active link on the SecureSphere gateway. Imperva Page 4

Network Monitor Configuration Non-inline Deployment Configuring SecureSphere as a network monitor enables organizations to protect critical servers without introducing a new point of failure. It is a lower price alternative to deploying to or more redundant SecureSphere gateways. To deploy SecureSphere as a network monitor, connect it to an open SPAN port or a network TAP to observe traffic. A second connection to an active port on the switch allows SecureSphere to block malicious connections by sending TCP resets to both the server and the client involved in the session. In the event of a SecureSphere gateway failure, network traffic is unaffected. However, traffic will not be monitored or protected until the SecureSphere gateway becomes operational again. Non-inline with Redundant Gateways For some organizations, it may be imperative to monitor and audit all Web or database traffic without disruption. These organizations can deploy multiple SecureSphere gateways in non-inline mode. If one of the gateways fail, the other gateway will continue to monitor and record traffic. In this configuration, each gateway should be managed by a separate MX Management Server or by using the integrated software management option. Imperva Page 5

Transparent and Reverse Proxy Configurations (Web Application Firewall only) SecureSphere is often deployed as a direct replacement for legacy reverse proxy appliances. In most cases, customers choose to configure SecureSphere as a bridge because it fits into the existing architecture and reduces the operational burden associated with Web proxies. However, in some cases, customers deploy SecureSphere as in proxy mode to meet architectural requirements or for content modification. The SecureSphere Web Application Firewall supports both reverse proxy and transparent proxy configurations. Both proxy configurations offer content modification, including cookie signing and URL rewriting. Transparent proxy mode enables transparent deployment without network or DNS changes. Load Balancer Integration In proxy mode, one or more SecureSphere gateways are deployed as either a reverse proxy or a transparent proxy. A load balancer balances the traffic between the gateways and the gateways forward the traffic to the Web servers. It s possible to configure load balancer to work in active-active or active-passive modes. In this mode, the IP address of the Web site resolves to the SecureSphere gateway s IP address. If SSL is used, then the gateway should be configured to terminate the SSL connection. Note that in proxy mode, SecureSphere establishes a new connection to the Web server on behalf of the client. Active-Passive Failover VRRP also provides redundancy for two or more SecureSphere gateways configured as reverse or transparent proxies. In this deployment scenario, two SecureSphere gateways are deployed as proxies. The gateways are configured as a VRRP pair (Virtual Router Redundancy Protocol). When the active SecureSphere gateway becomes unavailable, the passive gateway assumes the IP address of the failed gateway and becomes active. Imperva Page 6

Summary of Network Configuration Modes The best-in-class SecureSphere application security appliances support a wide array of deployment options. SecureSphere customers can select the best deployment scenario based on their network, high availability and ongoing maintenance objectives. So which configuration mode would best suit your needs? That depends on your data center architecture, your business applications, and your performance and operational requirements. For example, if you wish to encrypt cookies or rewrite URLs, you can configure SecureSphere as a proxy. If line speed performance and zero impact deployment are important, then deploy SecureSphere as a layer 2 bridge. The table displayed below describes which network configuration mode you should choose based on your existing network infrastructure and applications and your performance and high availability requirements. Configuration Mode When to Use Bridge When transparent deployment is required Provides drop-in installation Layer 2 operation is transparent to most networks and applications For high performance environments Proxy For seamless replacement of legacy application proxy deployments, cookie signing, and URL rewrite Transparent proxy option for content modification with no network changes Network Monitor For risk-free evaluation and pilot projects To avoid adding new devices to the network The appliance is not inline and won t impact the network When only monitoring and reporting functions are needed 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: (650) 345-9000 Fax: (650) 345-9004 2010 Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc. Dynamic Profiling is a trademark of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders. Imperva Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information