50. DFN Betriebstagung



Similar documents
StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Tagesordnung WIN/IP-Forum

VXLAN: Scaling Data Center Capacity. White Paper

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Design and Implementation Guide. Data Center Design Guide: Implement McAfee Next Generation Firewall for the Perimeter

Securing Virtualization with Check Point and Consolidation with Virtualized Security

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Performance Evaluation of VMXNET3 Virtual Network Device VMware vsphere 4 build

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

Virtualized Security: The Next Generation of Consolidation

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

Cisco ACE 4710 Application Control Engine

STONEGATE 5.2 I NSTALLATION GUIDE I NTRUSION PREVENTION SYSTEM

Network Technologies for Next-generation Data Centers

Achieving Low-Latency Security

Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

In-Band Security Solution // Solutions Overview

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Configuring the Transparent or Routed Firewall

Broadcom Ethernet Network Controller Enhanced Virtualization Functionality

Availability Digest. Redundant Load Balancing for High Availability July 2013

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

D1.2 Network Load Balancing

Next Gen Data Center. KwaiSeng Consulting Systems Engineer

Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches

Where IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine

Check Point taps the power of virtualization to simplify security for private clouds

The Future of Computing Cisco Unified Computing System. Markus Kunstmann Channels Systems Engineer

How To Fix A Fault Notification On A Network Security Platform (Xc) (Xcus) (Network) (Networks) (Manual) (Manager) (Powerpoint) (Cisco) (Permanent

Lab Testing Summary Report

INTRODUCTION TO FIREWALL SECURITY

Intel Advanced Network Services Software Increases Network Reliability, Resilience and Bandwidth

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

Cisco PIX vs. Checkpoint Firewall

FWSM introduction Intro 5/1

Lab VI Capturing and monitoring the network traffic

Cisco Application Networking Manager Version 2.0

VXLAN Overlay Networks: Enabling Network Scalability for a Cloud Infrastructure

Microsoft SQL Server 2012 on Cisco UCS with iscsi-based Storage Access in VMware ESX Virtualization Environment: Performance Study

Creating Web Farms with Linux (Linux High Availability and Scalability)

AppDirector Load balancing IBM Websphere and AppXcel

The Fundamentals of Intrusion Prevention System Testing

Oracle Collaboration Suite

Extreme Security Threat Protection G2 - Intrusion Prevention Integrated security, visibility, and control for next- generation network protection

Implementing Cisco IOS Network Security

Oracle SDN Performance Acceleration with Software-Defined Networking

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Monitoring Load-Balancing Services

Lecture 02b Cloud Computing II

Stingray Traffic Manager Sizing Guide

VMware Virtual SAN Network Design Guide TECHNICAL WHITE PAPER

Evaluation Report: Emulex OCe GbE and OCe GbE Adapter Comparison with Intel X710 10GbE and XL710 40GbE Adapters

Network Agent Quick Start

Enterprise Data Center Topology

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Open-E Data Storage Software and Intel Modular Server a certified virtualization solution

Network Simulation Traffic, Paths and Impairment

Auspex Support for Cisco Fast EtherChannel TM

Ixia xstream TM 10. Aggregation, Filtering, and Load Balancing for qgbe/10gbe Networks. Aggregation and Filtering DATA SHEET

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Windows TCP Chimney: Network Protocol Offload for Optimal Application Scalability and Manageability

Cisco Application Networking for IBM WebSphere

VMWARE WHITE PAPER 1

Any-to-any switching with aggregation and filtering reduces monitoring costs

Cisco Local Director Abstract. Stephen Gill Revision: 1.0, 04/18/2001

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Why Software Defined Networking (SDN)? Boyan Sotirov

TABLE OF CONTENTS NETWORK SECURITY 2...1

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

M.Sc. IT Semester III VIRTUALIZATION QUESTION BANK Unit 1 1. What is virtualization? Explain the five stage virtualization process. 2.

A Case for Overlays in DCN Virtualization Katherine Barabash, Rami Cohen, David Hadas, Vinit Jain, Renato Recio and Benny Rochwerger IBM

Cisco Catalyst 4500-X Series Switch Family

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Voice over IP- Session Initiation Protocol (SIP) Load Balancing in the IBM BladeCenter

Implementing Cisco Intrusion Prevention System 7.0 (IPS)

Linux Network Security

Whitepaper. ISP Redundancy. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

F IREWALL/VPN INSTALLATION GUIDE

Networking and High Availability

hp ProLiant network adapter teaming

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

WHITE PAPER. Static Load Balancers Implemented with Filters

Network Functions Virtualization Using Intel Ethernet Multi-host Controller FM10000 Family

Special Edition for Loadbalancer.org GmbH

White Paper. Intrusion Detection Deploying the Shomiti Century Tap

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led

White Paper. Using VLAN s in Network Design. Kevin Colo

Extending Networking to Fit the Cloud

F IREWALL/VPN INSTALLATION GUIDE

PCI Express High Speed Networks. Complete Solution for High Speed Networking

VMware vshield App Design Guide TECHNICAL WHITE PAPER

QoS & Traffic Management

vsphere Networking vsphere 6.0 ESXi 6.0 vcenter Server 6.0 EN

Transcription:

50. DFN Betriebstagung IPS Serial Clustering in 10GbE Environment Tuukka Helander, Stonesoft Germany GmbH Frank Brüggemann, RWTH Aachen Slide 1

Agenda Introduction Stonesoft clustering Firewall parallel clustering How does it work StoneGate IPS Operating principle Architecture The challenge with 10GbE Serial clustering Process virtualization Conclusion Slide 2

Secure Information Flow Global Company Customer Focus Innovation A global network security company, in business since 1990 Listed on the OMX Nordic Stock Exchange Helsinki Corporate HQ in Helsinki, Finland Operations in USA, EMEA and Asia Customers in more than 60 countries Focus on enterprise customers requiring advanced network security and alwayson connectivity Global 24/7 support Integrated network security and business continuity solutions R&D centers in Finland and France Multiple patents for core technologies Slide 3

StoneGate Security Platform StoneGate Overview Slide 4

Firewall Parallel Clustering RWTH Uplink - Parallel clustering at 10 GbE how it started Prospect of bandwidth demand beyond 1 GbE start of 2006 Already existing Stonesoft cluster fully deployed in 1 GbE then Testing phase in mixed environment with one 10 GbE machine Full migration to 10 GbE in August 2006 Since then, continuous upgrades of server hardware Embedded into HA, disaster resilient architecture. Slide 5

Use Case RWTH Aachen RWTH Uplink - Parallel clustering at 10 GbE today Uplink capacity 10 Gbit/s with another 10 Gbit/s failover link via BGP MED attribute FW cluster embedded into Cisco Catalyst 650x VSS dual chassis systems Deployed over disjoint locations for disaster resiliency FW cluster consists of IBM servers (partially consolidated into blades) PCI express architecture Xeon 3.00 GHz multicore CPUs Slide 6

Use Case RWTH Aachen RWTH Uplink Fine tuning clustering mode Packet dispatch mode: FW cluster is configured with a unicast IPv4 address and unicast MAC address Master node is elected by internal algorithm Interface of master node answers to arp requests with CVI mac address traffic is initially routed towards this interface Traffic is redirected by master node to according to load etc. Multicast mode: FW cluster is configured with a unicast IPv4 address and multicast MAC address (I/G bit set) Static arp entries and mac table entries required on adjacent switches Traffic is flooded to every node of the cluster Internal algorithm decides whether a node processes a flow or not Found to be superior to dispatch mode with regard to scalability, stability, performance. Slide 7

Use Case RWTH Aachen RWTH Uplink Configuring Multicast LB - Cluster Slide 8

Use Case RWTH Aachen RWTH Uplink Configuring Multicast LB Cisco Catalyst c6k-xwin#show conf... ip route 134.61.0.0 255.255.0.0 134.130.9.230 ip route 134.130.0.0 255.255.0.0 134.130.9.230 ip route 137.226.0.0 255.255.0.0 134.130.9.230... arp 134.130.9.230 2122.2222.2224 ARPA... mac-address-table static 2122.2222.2224 vlan 108 interface TenGigabitEthernet1/1 TenGigabitEthernet1/3 TenGigabitEthernet2/2 TenGigabitEthernet2/3 Slide 9

StoneGate Clustering Technology Load balancing principles Dynamic load balancing is based on a fast algorithm that takes IP header information as input: Source IP address Destination IP address Ports may be added to load-balancing decision if more granularity is needed Don t use for fun, since excessive load balancing decisions can add overhead Load balancing filter sits between the network interface card driver and the application Initial capacity and current load of each node is also taken into account for the balancing decision 7 Application 6 Presentation 5 Session 4 Transport 3 Network Load Balancing Filter 2 Data Link 1 Physical Slide 10

StoneGate Clustering Technology Node Failover and New Node in Cluster When a node fails or a new node comes online, the load balancing filter is recalculated and the load is redistributed Heartbeat protocol detects the failed nodes or new nodes Load redistribution is recalculated relative to individual node performance and node availability In case of node failure, the connection is moved to a healthy node A new node joining a cluster begins accepting new connections immediately Slide 11

StoneGate IPS Operating Principle Network-based Intrusion Protection System Protects vulnerable applications and operating systems from network attacks against Server vulnerabilities Client vulnerabilities Transparent access control within network segments Security policies for ethernet, network and transport layers Supports both IPv4 and IPv6 Protects services from Denial-of-Service (DoS) attacks Provides a security monitoring view into the network traffic Slide 12

StoneGate IPS Architecture Slide 13

The challenge with 10 Gbps environment Two major concerns Single StoneGate sensor appliance handles traffic only to 4 Gbps Future appliances might go up to 10 Gbps CPU usage focuses on interrupts from the network interface cards Intel chipsets have doubled the PCIe bandwidth Each NIC separates RX and TX flows Slide 14

Inline IPS Serial Cluster Two benefits Boosts inline IPS inspection performance Only one of the sensor nodes in an IPS serial cluster inspects a connection Others are in bypass mode for the same connection Load balancing decision based on IP addresses No state synchronization needed between the nodes Providing HA for network traffic inspection If a node fails it switches to a hardware bypass state and load balancing filter is recalculated on rest of the nodes Bypass NICs are mandatory Not a network HA solution Slide 15

Inline Serial Cluster Scalability Results from the R&D test lab Test setup: Appliance Deployment IPS version 4.2.0.4209 SMC version 4.2.0.7764 IPS-2000C Serial Inline IPS cluster Dyn update 224 Smartbits LAN-3321A module with two 1GB ports Test description: bidirectional UDP streams 250 flows/direction used (IP-IP pairs) Burst duration 30 sec System policy in use Slide 16

Process Virtualization Utilizing the cores Load balancing between the CPU cores IPS sensor process sliced to several virtual entities Intel 10GbE and ixgbe capabilities in use Multi-queued flows balanced between all available cores Requires IPS version 5.0 Estimated availability Q2/2009 Slide 17

Conclusion 10GbE environment is possible Serial clustering Process virtualization Intel-based hardware Innovative software development from Stonesoft Slide 18

Slide 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information