White Paper Load Balancing in GateDefender Performa The information contained in this document represents the current view of Panda Software International, S.L on the issues discussed herein as of the date of publication. This document is for information purposes only. Panda Software International, S.L makes no warranties, express or implied, in this document. Complying will applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or inserted into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Panda Software, S.L. Panda Software International, S.L may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Panda Software S.L, the furnishing of this document does not give any license to these patents, trademarks, copyrights or other intellectual property. Panda Software International, S.L. 2005. www.pandasoftware.com
Contents 1. Introduction... 2 1.1 Document objective... 2 1.2 Target readership... 2 1.3 Executive Summary... 2 2. Definitions... 2 2.1 Load balancing... 2 2.2 High availability... 3 3. GateDefender Performa Operation... 3 3.1 Increasing performance Scalability... 3 3.2 Service guarantee... 3 3.3 Load balancing in GateDefender Performa... 4 3.3.1 Automatic recognition between devices... 5 3.3.2 Load distribution... 6 3.4 High availability in GateDefender Performa... 7 3.4.1 Heartbeats... 7 3.4.2 STP... 7 3.4.3 Failure of master... 7 3.4.4 Failure of a slave... 8 3.5 Installation and configuration... 9 4. Performance tests... 10 5. Characteristics of a load balancing system... 12 6 Glossary of technical terms... 13 7 Glossary of abbreviations... 13 Graphs Figure 1 Diagram of internal operation of two load balancing devices... 5 Figure 2. High availability with various GateDefender Performa... 8 Figure 3. Installation of load balancing GateDefender Performa unit... 9 Figure 4. HTTP results. Transactions / second metrics. GateDefender Performa 8100 against Baseline... 10 Figure 5. Effect in the load balancing transactions / second metrics for 2 GateDefender Performa 8100.... 11 Figure 6. Effect in the load balancing transactions / second metrics for 4 GateDefender Performa 8100.... 12 Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 1 / 13
1. Introduction 1.1 Document objective This document explains load balancing and high availability concepts for hardware devices and their operation and configuration for the GateDefender Performa 8000 series. 1.2 Target readership The content of this document is designed for technical personnel, network administrators, systems administrators, etc. of companies whose network has a high level of traffic either from web browsing or volume of e-mail and which therefore need to guarantee protection through GateDefender Performa in conditions superior to standard ones. 1.3 Executive Summary Panda GateDefender Performa supports native load balancing and automatic configuration to offer users a high availability of services. The system administrator only has to activate the load balancing operation and GateDefender Performa units take care of the rest of the actions to be performed, such as role configuration, intelligent load distribution, etc. The performance obtained when connecting various load balancing units has an almost linear progression according to the units connected. 2. Definitions 2.1 Load balancing Load balancing consists in installing various hardware devices in parallel to share the work between them and therefore guarantee a high availability of services rendered by the devices. There are different methods to implement load balancing between devices, depending on the configuration each manufacturer includes in their hardware devices: Using load balancing hardware This consists in separately acquiring a specific device to bring into contact other devices which, by default, are not capable of performing load balancing. These hardware load balancing devices are normally very expensive and this cost needs to be added to that of other devices which provide the service. Balancing with software There are programs capable of load balancing between hardware devices. This balancing solution is more economical than the hardware solution. However, it means investment in hardware, since the balancing program needs to be installed in a computer or network server. In addition, since they are generic programs, installation and configuration time are factors to be considered. Native load balancing Some hardware devices offer native load balancing possibilities, in other words independently, without the need for additional software or hardware. This greatly reduces the load balancing cost, in both the budget and configuration time. GateDefender Performa includes this option in all the 8000 series models. Native load balancing is also automatic in GateDefender Performa, which means the administrator does not need to worry about configuring anything since the devices do this automatically. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 2 / 13
2.2 High availability High availability is a direct consequence of good load balancing. It consists in knowing for certain that the system and services which the devices offer will not be affected by problems such as the sudden increase in traffic or that any of the devices will stop working accidentally, interrupting services offered up to that point. 3. GateDefender Performa Operation It is possible to install more than one GateDefender Performa in parallel in order to achieve greater performance and high availability. No additional hardware or software device is necessary to install a load balancing system with various GateDefender Performa devices. Start-up is very straightforward as hardly any configuration is required by the user. Once the devices have been connected adequately, the load balancing system starts operating automatically. To interconnect the GateDefender Performas in parallel, any type of local network concentrator can be used, either switches or hubs, although the use of switches is highly recommended as these devices produce fewer collisions than hubs. No specific hardware or software or thirdparty hardware or software needs to be used. 3.1 Increasing performance Scalability The use of multiple GateDefender Performas helps to increase performance and processing capacity. If processing needs grow, due to a rise for example in the number of users or expansion in connection bandwidth resulting from business mergers or expansion, simply increase the number of GateDefender Performas used. Consequently, GateDefender Performa adapts to any type of company whatever its size and its perimeter protection needs. As will be seen below, the performance obtained by using more than one GateDefender Performa increases almost linearly. 3.2 Service guarantee Apart from improving performance, another of the advantages of installing various load balancing GateDefender Performa units is to guarantee network connectivity in case of failure or collapse of one of the units. The GateDefender Performa units which make up the load balancing system will distribute the scanning work. Likewise, if one of the units stops working, the rest will automatically take responsibility for the work, thereby guaranteeing availability and avoiding service interruption. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 3 / 13
3.3 Load balancing in GateDefender Performa Load balancing consists in sharing out the work between the different GateDefender Performa units installed. Each unit can assume one of the two existing roles: master or slave. Master functions: It decides which GateDefender Performa is responsible for processing a certain connection. The master GateDefender Performa implements a load balancing algorithm to redirect the connections to different slave units in order to balance the system load. It also scans connections as well as distributing the load. It lets protocol traffic that the administrator decides not to scan pass transparently. It provides an outlet for malware-free traffic received from the slave units. It controls the availability of slave units, listening to messages or heartbeats which they send it periodically. Slave functions: It scans connections redirected by the master, returning malware-free traffic to the master. It does not let traffic pass. It only responds to requests from the master GateDefender Performa. Only one of the units will assume the role of master. The rest of the GateDefender Performa devices will assume the role of slave. This assumption of roles is automatically negotiated between the connected devices, without any user intervention. From the GateDefender Performa console it is possible to see all the units that make up the load balancing system as well as their individual operation mode. When various GateDefender Performas are installed in parallel, the role negotiation or operation mode of each of them automatically begins. If a new device is subsequently added, the operation modes will be automatically negotiated once more. The only GateDefender Performa that truly acts as a bridge is the one operating as the master. The slave devices only respond to the requests of the master and do not allow the passage of any connections received or intercepted not belonging to the master. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 4 / 13
The following figure shows an outline of the internal operation of two load balancing GateDefender Performa units. Figure 1 Diagram of internal operation of two load balancing devices 3.3.1 Automatic recognition between devices When GateDefender Performas are connected in parallel and the load balancing activated, the search process commences for new GateDefender Performas as well as the role negotiation or operation mode each one will have. The time it takes to complete this operation and begin the normal operation of the load balancing system is 12 seconds. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 5 / 13
This process is performed by means of the STP (Spanning Tree Protocol). This protocol is determined by the IEEE in the 802.1D 1 standard. The following functions are carried out through this protocol: Detecting / finding other GateDefender Performas installed in parallel. Determining which unit is the master and which are the slaves. Detecting when another unit becomes the master. All the devices periodically exchange STP BPDU packets which include, among other things, the MAC (Medium Access Control) address of each unit installed in parallel. These packets enable the slaves to find out which is the master unit, and the master to find out which slave units are available. 2 If a new GateDefender Performa is connected, the roles of each unit will be automatically reconfigured or renegotiated as soon as its presence is detected. As a result, the new GateDefender Performa can become the slave or the new master. 3.3.2 Load distribution The master GateDefender Performa implements a load balancing algorithm and becomes responsible for sharing out and redirecting the connections to the different slave GateDefender Performa units. The algorithm used is weighted round-robin. The weights used in the load balancing algorithm are static and vary according to the model (8100, 8200) in order to be able to adapt better to the needs of each network. The master GateDefender Performa distributes the connections between the slaves but also processes and scans some connections. The master is aware of the load index of the slaves through heartbeats which it receives from the slaves. The slaves periodically send to the master heartbeats which include their load index 3. Apart from informing the master of the availability of the slaves, it is also aware of the load index of each slave at that particular moment. The only GateDefender Performa that truly acts as a bridge is the one operating as the master. The slave GateDefender Performas only respond to the requests of the master and do not allow the passage of any connections received or intercepted not belonging to the master. When a frame belonging to a new connection arrives, the master decides that GateDefender Performa will process this connection, with this being performed either by itself or one of the slaves. If it is a slave, the master is responsible for encapsulating the frames of the original connection and redirecting them to the slave which will be responsible for processing it. 4 The slave decapsulates the frames received from the master and processes the original connection. Once the connection has been processed, the slave encapsulates 1 STP is a level 2 protocol (ISO/OSI model) designed for bridges and switches. The STP communication occurs by sending multicast frames to level 2 (Ethernet). These frames receive the name of the BPDU (Bridge Protocol Data Unit). To find out the availability of the slaves, heartbeats or activity pulses not belonging to the STP protocol are used. These will be looked at later on in this document. 2 RARP (Reverse Address Resolution Protocol- RFC 2390) is also used to obtain the IP address, from the MAC address, of each of the devices. 3 Heartbeats are sent via UDP to the 6694 port. 4 Frame encapsulation occurs by means of the EtherIP RFC 3378 protocol, with slight modification to it. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 6 / 13
the resulting frames again and sends them to the master. These frames are now malware-free traffic. When the master receives the slave frames, it decapsulates them in order to pass them to the network as clean traffic. If a connection should not be scanned as a result of being a protocol not selected, the master will let it pass without redirecting it to the slaves. 3.4 High availability in GateDefender Performa The operation of the high availability system implemented is based on the sending of heartbeats and the STP (Spanning Tree Protocol). The heartbeats inform the master of the availability of the slaves. However, slaves also use STP to find out the availability of the master. A series of concepts and data related to high availability are outlined below: 3.4.1 Heartbeats The slaves send heartbeats to the master every 10 seconds. If the master does not receive this heartbeat in 30 seconds, the slave will be considered as missing. When the master determines that a slave has stopped responding, it will no longer redirect it connections. The master also periodically sends heartbeats to slaves so they are aware of the master s name. This name is accessible from the slave administration console. 3.4.2 STP All the units installed in parallel periodically exchange the STP BPDU packets which, among other things, include the MAC address of each one. These packets also enable the slaves to know which the master GateDefender Performa is and the master to know which GateDefender Performa slaves are available. If the master fails, no longer sending BDPUs, the rest of the units decide which will be the new master device. The time it takes to complete this operation and begin the normal operation of the load balancing system will be 12 seconds approximately. No connection will be accepted or processed during this time. 3.4.3 Failure of master If the master device fails (this may be due to a software or hardware failure), there will be no new connection until a new device becomes the master, preventing the entry of malware into the network. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 7 / 13
3.4.4 Failure of a slave If a slave GateDefender Performa fails, the connections that were being managed by the slave at that particular time will be lost, but not those of the master or the rest of the slaves. The master will be responsible for redirecting connections to alternative devices. The following figure shows an example of redundancy in a system with various load balancing units. Figure 2. High availability with various GateDefender Performa Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 8 / 13
3.5 Installation and configuration The following figure shows a network diagram before with just one GateDefender Performa, and the same diagram with various load balancing GateDefender Performa units. Figure 3. Installation of load balancing GateDefender Performa unit The slaves do not let traffic enter the network. The only device that really acts as a bridge is the master GateDefender Performa. Hubs instead of switches can be used for the connection between GateDefender Performa units. However, switches are recommended as they increase performance, reducing the number of collisions. The use of Gigabit connections is also recommended for models that support it (8100 and 8200), as well as verifying that the ports of the GateDefender Performa units work in Full- Duplex mode, which allows simultaneous bi-directional communication. The protection configuration of the two load balancing GateDefender Performas units needs to be the same. This can be achieved by simply accessing the configuration of the units, which make up the load balancing system, from the web console. It is also possible to export the configuration of a device and import it from another so that they are completely the same. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 9 / 13
4. Performance tests In the performance tests carried out, up to 4 load balancing GateDefender Performa 8100 units were installed with an improvement in performance in 1, 2 and 3 load balancing devices. Technically, no maximum theoretical limit was established to connect GateDefender Performa balancing units. Some performance test graphs are shown below. GateDefender Performa without load balancing The following graph shows the number of transactions / second (of http web traffic) that GateDefender Performa 8100 is capable of managing. It can be observed that the Panda GateDefender Performa 8100 model is capable of managing more than 700 transactions / second, although in the same situation the number of transactions / second continues to increase. Figure 4. HTTP results. Transactions / second metrics. GateDefender Performa 8100 against Baseline Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 10 / 13
Two load balancing GateDefender Performa units Load balancing and high availability The following graph shows the effect on the number of transactions / second managed correctly in the test environment with 2 load balancing GateDefender Performa 8100. It is observed that if with a single Panda GateDefender Performa 8100 the saturation level is reached with a little more than 700 transactions per second, 1400 sustained transactions / second is achieved by installing two load balancing units. Figure 5. Effect in the load balancing transactions / second metrics for 2 GateDefender Performa 8100. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 11 / 13
Four load balancing GateDefender Performa units The following graph shows the effect on the number of transactions / second managed correctly in the test environment with 4 load balancing GateDefender Performa 8100. Figure 6. Effect in the load balancing transactions / second metrics for 4 GateDefender Performa 8100. 5. Characteristics of a load balancing system The current load balancing system and fail-over has the following characteristics: The units should be configured separately as they are independent devices in the network. Separate scan reports for each unit can be obtained. Each device is updated independently to the others. The status and statistics of the load balancing units is seen individually. Standard interfaces are used for the sending of the load balancing communication (heartbeats, load sending etc), avoiding therefore an increase in product cost. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 12 / 13
6 Glossary of technical terms Appliance.- Any hardware device with one or more specific functionalities. Other synonyms used in this document are unit or device. Bridge.- Link device between different network sections which avoids unnecessary traffic from one section to another. Ethernet.- IT network connection method. Full Duplex.- Data transmission mode through a circuit capable of sending and receiving data simultaneously. Heartbeat.- Active status signal sent by devices in a network every 10 seconds. Hub.- Connection device between devices belonging to a network which concentrates the connections between devices and passes the information traffic from one to all the other devices connected. Malware.- Any type of malicious software (viruses, worms, Trojans etc.). Multicast.- Messages aimed at a group of computers in a network. Round Robin.- Method of managing concurrent processes which consists in cyclically alternating tasks yet to be performed, according to their priority. Switch.- Connection device between devices belonging to a network, capable of directing the traffic from one device to another connected to it, excluding the other devices connected. Frame.- Structure which contains information sent through a network. 7 Glossary of abbreviations BPDU.- Bridge Protocol Data Unit. This is a type of message used by bridges to exchange control and administration information. RARP.- Reverse Address Resolution Protocol. Protocol used to find out the IP addresses of a device through its MAC address. MAC.- Medium Access Control. Internal address which identifies all a network s devices. OSI Open Systems Interconnection. Reference model which specifies the different network levels. STP.-Spanning Tree Protocol is a protocol between bridges to detect and erase the redundant routes when creating the address table of a bridge. Copyright 2004 Panda Software S.L. All rights reserved. This document is for informational purposes only. 13 / 13