Networking and High Availability



Similar documents
Networking and High Availability

How To Protect Your Web Applications From Attack From A Malicious Web Application From A Web Attack

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

AppDirector Load balancing IBM Websphere and AppXcel

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

Superior Disaster Recovery with Radware s Global Server Load Balancing (GSLB) Solution

Radware s AppDirector and Microsoft Windows Terminal Services 2008 Integration Guide

Load Balancing 101: Firewall Sandwiches

Coyote Point Systems White Paper

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Load Balancing ContentKeeper With RadWare

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Scalable. Reliable. Flexible. High Performance Architecture. Fault Tolerant System Design. Expansion Options for Unique Business Needs

A New Approach to Developing High-Availability Server

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance

Application Note Gigabit Ethernet Port Modes

High Availability. FortiOS Handbook v3 for FortiOS 4.0 MR3

White Paper. Complementing or Migrating MPLS Networks

NSFOCUS Web Application Firewall

IP SAN Best Practices

Availability Digest. Redundant Load Balancing for High Availability July 2013

WHITE PAPER MICROSOFT LIVE COMMUNICATIONS SERVER 2005 LOAD BALANCING WITH FOUNDRY NETWORKS SERVERIRON PLATFORM

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards

Networking Topology For Your System

Broadband Bonding Network Appliance TRUFFLE BBNA6401

SURF Feed Connection Guide

Barracuda Link Balancer

FlexNetwork Architecture Delivers Higher Speed, Lower Downtime With HP IRF Technology. August 2011

INTEGRATING FIREWALL SERVICES IN THE DATA CENTER NETWORK ARCHITECTURE USING SRX SERIES SERVICES GATEWAY

FatPipe Networks

Application Delivery Controller (ADC) Implementation Load Balancing Microsoft SharePoint Servers Solution Guide

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide

TESTING & INTEGRATION GROUP SOLUTION GUIDE

Best Practices: Pass-Through w/bypass (Bridge Mode)

Installation Guide for. 10/100 to Triple-speed Port Aggregator. Model TPA-CU Doc. PUBTPACUU Rev. 1, 12/08. In-Line

RESILIENT NETWORK DESIGN

Microsoft Lync Server Overview

Netsweeper Whitepaper

Canadian Securities Exchange enhances Trading Network by adding a FIX Protocol Router Appliance

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Transparent Cache Switching Using Brocade ServerIron and Blue Coat ProxySG

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Truffle Broadband Bonding Network Appliance

EXINDA NETWORKS. Deployment Topologies

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Load Balancing for Microsoft Office Communication Server 2007 Release 2

High Availability. PAN-OS Administrator s Guide. Version 7.0

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Voice over IP- Session Initiation Protocol (SIP) Load Balancing in the IBM BladeCenter

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

High Availability Solutions & Technology for NetScreen s Security Systems

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Broadband Bonding Network Appliance TRUFFLE BBNA6401

Total Business Continuity with Cyberoam High Availability

CounterACT 7.0 Single CounterACT Appliance

Flexible Routing and Load Control on Back-End Servers. Controlling the Request Load and Quality of Service

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

Volume GAJSHIELD INFOTECH PVT LTD. Wan Failover & Load Balancing. Administrative Guide

axsguard Gatekeeper Internet Redundancy How To v1.2

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

SiteCelerate white paper

Contents. Load balancing and high availability

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

Secure Web Appliance. Reverse Proxy

Routing Security Server failure detection and recovery Protocol support Redundancy

Blue Coat Systems. PacketShaper Redundant Setup

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

Cisco AnyConnect Secure Mobility Solution Guide

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

Unisys Internet Remote Support

Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May The OWASP Foundation

Implementing Microsoft Office Communications Server 2007 With Coyote Point Systems Equalizer Load Balancing

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

HA OVERVIEW. FortiGate FortiOS v3.0 MR5.

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

SonicOS Enhanced Release Notes

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Fail-Safe IPS Integration with Bypass Technology

Building a Systems Infrastructure to Support e- Business

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

High Availability Failover Optimization Tuning HA Timers PAN-OS 6.0.0

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Application Note. Active Directory Federation Services deployment guide

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

Transcription:

TECHNICAL BRIEF Networking and High Availability Deployment Note Imperva appliances support a broad array of deployment options, enabling seamless integration into any data center environment. can be configured as a transparent bridge or a non-inline network monitor (sniffer). In addition, the Web Application Firewall supports reverse proxy and transparent proxy deployment. Because of this flexibility, customers can roll out comprehensive application-level security without changing their data center infrastructure. There is no need to reconfigure IP addresses, routing schemes, or applications allowing to easily drop into any network. The appliances protect critical business applications and database servers. Therefore, high availability is an essential customer requirement. To meet this requirement, Imperva offers a range of options that ensure business continuity and application availability. This deployment note describes several networking scenarios and the corresponding high availability configurations for each scenario, including: Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture Active-Active Failover in a Redundant Architecture Fail-open Architecture Active-Passive and Active-Active Failover with IMPVHA Protocol Link Aggregation Network Monitor (Sniffer) Configuration Non-Inline Deployment Non-Inline with Redundant Transparent and Reverse Proxy Configurations (Web Application Firewall only) Load Balancer Integration Active-Passive Failover This note also describes the criteria customers can use to determine the best network and high availability configuration for their environment.

Transparent Bridge Configuration Active-Passive Failover in a Redundant Architecture In this scenario, two gateways are deployed in an existing highly available architecture. Since each gateway is configured as a layer 2 bridge, any failure to appears to the network simply as if a switch port has failed. Connected devices would recognize that the gateway was not reachable and would automatically redirect traffic around it. Data inspection and analysis is performed es es through a powerful Transparent Inspection engine, so does not need to terminate or rewrite HTTP requests. TCP connections are negotiated directly Diagram of Active-Passive Failover in a Redundant Architecture between the client and the back-end server. Therefore, a failover event does not disrupt TCP connections or affect user sessions. Active-Active Failover in a Redundant Architecture In this deployment scenario, redundant gateways are again deployed in an existing highly available architecture. The only difference is that both gateways transmit traffic simultaneously. Since is configured as a layer 2 bridge, any failure to appears to the network simply as if a switch port has failed. Connected devices would recognize that the gateway was not reachable and would automatically redirect traffic around it. es es As a bridge, transparently inspects traffic without terminating Diagram of Active-Active Failover in a Redundant Architecture TCP connections. So a failover event does not affect user sessions or disrupt TCP connections between the web or database server and the client. Since one gateway has failed, total network capacity will be reduced until the failure is corrected.

Fail-open Architecture Fail-open bridge configuration preserves uptime without the cost or management effort of building a redundant architecture. In this scenario, is deployed inline in front of the protected application servers. In the event of a software, hardware, or power failure, s specialized network interface card will detect the failure and physically complete the connection through the gateway. The NIC card will fail open in milliseconds, minimizing network downtime. However, application servers will not be monitored or protected from attacks until the gateway resumes operations. Fail-Open Architecture Diagram Active-Passive and Active-Active Failover with IMPVHA Protocol Imperva developed a proprietary redundancy protocol for environments that do not have a redundant network architecture and Spanning Tree Protocol (STP) cannot be implemented. For some customers, STP convergence times may be unacceptably long or STP may conflict with existing protocols, such as Rapid Spanning Tree Protocol. For these situations, the Imperva High Availability (IMPVHA) protocol is the ideal solution. Pair Pair es es With IMPVHA, two gateways can be configured as layer 2 bridges in either active-passive or active-active mode. The configuration and failover Diagram of Active-Active Failover using IMPVHA mechanism is similar to VRRP, except that when a failover occurs, the backup device informs connected devices to redirect traffic via ARP requests rather than assuming the primary device s IP address. When an IMPVHA pair is deployed, the backup gateway will send periodic loopcheck broadcast messages. If no response is received within the configurable failover time (default is 0.5 seconds), the backup gateway will become active. Since a gateway supports two bridges through its four network interface cards, it is possible to configure one bridge as the IMPVHA primary for one network and the second bridge as a backup for another network. In this configuration, two gateways can support an active-active failover configuration.

Link Aggregation One or more gateways can support link aggregation. For example, two interfaces on a gateway can be connected to two interfaces on a network load balancer. Traffic can pass through both connections. For example, uplink traffic can travel through the first interface card while downlink traffic goes through the second interface card. In bridging mode, each gateway includes four network interfaces for application security. So it is possible to aggregate traffic through two connections. If the load balancer has 100Mbps Fast Ethernet interfaces, then aggregating links can also increase total throughput. Even if the traffic is split between the two segments, can accurately inspect all traffic and block attacks. Link Aggregation Diagram If an Ethernet cable is disconnected or a network interface fails, then traffic will continue to be forwarded through the active link on the gateway.

Network Monitor Configuration Non-inline Deployment Configuring as a network monitor enables organizations to protect critical servers without introducing a new point of failure. It is a lower price alternative to deploying to or more redundant gateways. To deploy as a network monitor, connect it to an open SPAN port or a network TAP to observe traffic. A second connection to an active port on the switch allows to block malicious connections by sending TCP resets to both the server and the client involved in the session. In the event of a gateway failure, network traffic is unaffected. However, traffic will not be monitored or protected until the gateway becomes operational again. Load Balancer Load Balancer Non-Inline Deployment Diagram Non-inline with Redundant For some organizations, it may be imperative to monitor and audit all Web or database traffic without disruption. These organizations can deploy multiple gateways in non-inline mode. If one of the gateways fail, the other gateway will continue to monitor and record traffic. In this configuration, each gateway should be managed by a separate MX Management Server or by using the integrated software management option. Load Balancer Load Balancer Non-Inline Deployment Diagram with Redundant

Transparent and Reverse Proxy Configurations (Web Application Firewall only) is often deployed as a direct replacement for legacy reverse proxy appliances. In most cases, customers choose to configure as a bridge because it fits into the existing architecture and reduces the operational burden associated with Web proxies. However, in some cases, customers deploy as in proxy mode to meet architectural requirements or for content modification. The Web Application Firewall supports both reverse proxy and transparent proxy configurations. Both proxy configurations offer content modification, including cookie signing and URL rewriting. Transparent proxy mode enables transparent deployment without network or DNS changes. Load Balancer Integration In proxy mode, one or more gateways are deployed as either a reverse proxy or a transparent proxy. A load balancer balances the traffic between the gateways and the gateways forward the traffic to the Web servers. It s possible to configure load balancer to work in activeactive or active-passive modes. In this mode, the IP address of the Web site resolves to the gateway s IP address. If SSL is used, then the gateway should be configured to terminate the Diagram of Proxy Mode with Load Balancer Integration SSL connection. Note that in proxy mode, establishes a new connection to the Web server on behalf of the client. Active-Passive Failover VRRP also provides redundancy for two or more gateways configured as reverse or transparent proxies. In this deployment scenario, two gateways are deployed as proxies. The gateways are configured as a VRRP pair (Virtual Router Redundancy Protocol). When the active gateway becomes unavailable, the passive gateway assumes the IP address of the failed gateway and becomes active. VRRP Master Load Balancer VRRP Master Diagram of Active-Passive Failover in Proxy Mode

Summary of Network Configuration Modes The best-in-class application security appliances support a wide array of deployment options. customers can select the best deployment scenario based on their network, high availability and ongoing maintenance objectives. So which configuration mode would best suit your needs? That depends on your data center architecture, your business applications, and your performance and operational requirements. For example, if you wish to encrypt cookies or rewrite URLs, you can configure as a proxy. If line speed performance and zero impact deployment are important, then deploy as a layer 2 bridge. The table displayed below describes which network configuration mode you should choose based on your existing network infrastructure and applications and your performance and high availability requirements. Configuration Mode When to Use Bridge When transparent deployment is required Provides drop-in installation Layer 2 operation is transparent to most networks and applications For high performance environments Proxy For seamless replacement of legacy application proxy deployments, cookie signing, and URL rewrite Transparent proxy option for content modification with no network changes Network Monitor For risk-free evaluation and pilot projects To avoid adding new devices to the network The appliance is not inline and won t impact the network When only monitoring and reporting functions are needed www.imperva.com Copyright 2014, Imperva All rights reserved. Imperva and are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #TB-NETWORKING-AND-HA-0414rev2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information