Multi-Link - Firewall Always-on connectivity with significant savings



Similar documents
White Paper. McAfee Multi-Link. Always-on connectivity with significant savings

Whitepaper. StoneGate Multi-Link. Ensuring Always-on Connectivity with Significant Savings

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

WAN Traffic Management with PowerLink Pro100

Whitepaper. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

McAfee Next Generation Firewall

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Site2Site VPN Optimization Solutions

Mesh VPN Link Sharing (MVLS) Solutions

Managing SIP-based Applications With WAN Optimization

LOAD BALANCING WHITE PAPER OPTIONS FOR HANDLING MULTIPLE ISP LINES AT HOTELS

Stonesoft Augmented VPN WITH MULTI-LINK TECHNOLOGY

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Barracuda Link Balancer

A Link Load Balancing Solution for Multi-Homed Networks

Gigabit Multi-Homing VPN Security Router

Executive Overview 3. Case Study 1: Augmented Connections 3. Case Study 2: Augmented Bandwidth 5

PREPARED FOR ABC CORPORATION

Assuring Your Business Continuity

Redundancy for Corporate Broadband

FatPipe Networks

TRUFFLE Broadband Bonding Network Appliance. A Frequently Asked Question on. Link Bonding vs. Load Balancing

Everything You Need to Know About Network Failover

Evaluating Bandwidth Optimization Technologies: Bonded Internet

Private Cloud Solutions Virtual Onsite Data Center

White Paper. Complementing or Migrating MPLS Networks

About Firewall Protection

Deploying in a Distributed Environment

ECESSA. White Paper. Optimize Your Network on a Limited IT Budget

Optimal Network Connectivity Reliable Network Access Flexible Network Management

WHITE PAPER: Broadband Bonding for VoIP & UC Applications. In Brief. mushroomnetworks.com. Applications. Challenge. Solution. Benefits.

Multi-Homing Security Gateway

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

TRUFFLE Broadband Bonding Network Appliance BBNA6401. A Frequently Asked Question on. Link Bonding vs. Load Balancing

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Gigabit Content Security Router

The Hybrid Enterprise. Enhance network performance and build your hybrid WAN

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Optimal Network Connectivity Reliable Network Access Flexible Network Management

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

VPN Only Connection Information and Sign up

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Configuring WAN Failover & Load-Balancing

LOAD BALANCING WHITE PAPER OPTIONS FOR HANDLING MULTIPLE ISP LINES AT HOTELS

Truffle Broadband Bonding Network Appliance

Appendix C Network Planning for Dual WAN Ports

BroadCloud PBX Customer Minimum Requirements

White Paper: Broadband Bonding with Truffle PART I - Single Office Setups

Application Note. Cell Janus Load Balancing Algorithms Technical Overview

Firewall Defaults and Some Basic Rules

VMware vcloud Air Networking Guide

How To Manage Outgoing Traffic On Fireware Xtm

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

MPLS: Key Factors to Consider When Selecting Your MPLS Provider

Configuring IP Load Sharing in AOS Quick Configuration Guide

Benefit from our Hard-Learned Lessons: Evaluating Bandwidth Optimization Technologies

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

VoIP CONFIGURATION GUIDE FOR MULTI-LOCATION NETWORKS

Multi-protocol Label Switching

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Gigabit Multi-Homing VPN Security Router

LAN TCP/IP and DHCP Setup

Common Application Guide

UIP1868P User Interface Guide

Whitepaper. ISP Redundancy. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Improving Network Efficiency for SMB Through Intelligent Load Balancing

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Chapter 12 Supporting Network Address Translation (NAT)

FortiVoice. Version 7.00 VoIP Configuration Guide

November Defining the Value of MPLS VPNs

Firewalls. Chapter 3

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Layer-2 Design: Link Balancers Simplified

Chapter 2 Connecting the FVX538 to the Internet

Configuration Example

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

XROADS NETWORKS WHITE PAPER

VOIP NETWORK CONFIGURATION GUIDE RELEASE 6.10

Remote Access VPN Solutions

axsguard Gatekeeper Internet Redundancy How To v1.2

Enterprise Edge Communications Manager. Data Capabilities

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

Edgewater Routers User Guide

Gigabit SSL VPN Security Router

Transcription:

White Paper Multi-Link - Firewall Always-on connectivity with significant savings multilink.internetworking.ch

able of Contents Executive Summary How Multi-Link - Firewalls works Outbound traffic Load balancing Standby links for high availability Quality-of-Service (QoS) classes Activating outbound Multi-Link - Firewall for selected traffic only Inbound Traffic 3 4 4 4 6 7 7 8 VPN Traffic 10 2 Augmented VPN

Executive Summary In today s 24/7/365 world, organizations of all sizes and types depend on always-on network connectivity. Service interruptions can mean lost revenue when an online trading company cannot execute orders, lost clients for a law firm if their attorneys cannot file briefs in time, or even lost lives if critical patient data is not immediately available when needed. According to the study performed by Ponemon Institute, sponsored by Emerson Network Power,1 the cost of a data center outage has increased since 2010. The cost per square foot of data center outages now ranges from $45 to $95. Or, according to the study, a minimum cost of $74,223 to a maximum of $1,734,433 per organization. The overall average cost is $627,418 per incident. Whether communicating with customers, partners, or employees, organizations rely on continuous connectivity anytime, anywhere. Traditionally, connections provided by links have been a single point of failure. To eliminate this risk, organizations have resorted to complicated and costly solutions such as redundant systems, separate failover or standby products, complex protocols like border gateway protocol (BGP), and different connection types like multiprotocol label switching (MPLS) and frame relay. Now there s a better approach Multi-Link technology built into the Next Generation Firewall. Multi-Link - Firewall is ideal for providing organizations with highly available connectivity in a simple, straightforward, and costeffective manner. If one line fails, traffic is automatically switched over to the remaining links. Multi-Link - Firewall eliminates the need for complicated solutions like BGP or separate wide area network (WAN) load balancer solutions, which not only means cost savings, but also a simplified infrastructure. Multi-Link - Firewall technology can integrate with any type of connection to ensure that inbound, outbound, and VPN traffic is delivered securely through the fastest connections without incident or disruptive downtime. Multi-Link - Firewall can accommodate digital subscriber lines (DSL), leased lines, cable modems, satellite, mobile broadband, and even WAN links such as point-to-point MPLS. Organizations gain the flexibility to deploy the type and number of connections that are best suited for their environments and their budgets. Combined with active load balancing and Quality-of-Service (QoS) capabilities, Multi-Link - Firewall also optimizes networks and supports technologies, such as Voice-over-IP (VoIP) and video conferencing. Organizations gain granular control of their networks and ensure the availability of applications that are mission-critical to their operations. 3

How Multi-Link - Firewall Works Outbound traffic A single connection to the is a single point of failure. If the connection becomes unavailable, all outbound traffic is blocked. To prevent this, patented McAfee Multi-Link - Firewall technology distributes outbound traffic between multiple network connections. Multi-Link - Firewall ensures that connectivity remains available even if one or more network connections fail. McAfee Next Generation Firewall can also load balance outbound traffic between network connections to use the available connection capacity more efficiently. Organizations can use Multi-Link - Firewall on both single and clustered firewalls. The network connections for McAfee Multi-Link are represented by netlink elements in Security Management Center (SMC). In most cases, a netlink element is used to represent an service provider (ISP) connection. However, netlinks can also represent a leased line, xdsl, or any other type of network connection mediated by the firewall. Load balancing There are two load balancing methods: round-trip time and ratio. When the round-trip time method is used, netlink performance is measured for each new transmission control protocol (TCP) connection by sending the initial request (SYN) to the destination through all the available netlinks. When the destination host sends the reply (SYN-ACK), the netlink that receives the reply first is used to complete the TCP connection establishment. The firewall cancels the slower connection attempts by sending a TCP reset (RST) to the destination through the other netlinks. This way, the fastest route is selected automatically for each connection based on the round-trip time measurement. Information about the performance of each netlink is cached, so no new measurement is made if a new connection is opened to the same destination within a short time period. Firewall Cluster SYN SYN-ACK RST SYN SYN-ACK ACK SYN SYN-ACK RST SYN SYN-ACK ACK Figure 1. Select the fastest netlink for outbound connections. 4

There are, however, times when a ratio method may be preferred. For example, if one ISP s bandwidth far exceeds other connections being used and is supplemented by smaller ISPs, the smaller ISP may return a faster SYN-ACK. While this may seem like the fastest connection, it may not take into account the proportionate bandwidth available. Multi-Link - Firewall technology can resolve this by using a ratio method. When the ratio method is used, traffic is distributed among all of the available netlinks according to the relative capacity of the links. The bandwidths of the other netlinks are automatically compared to the bandwidth of the netlink with the most bandwidth to produce a ratio for distributing the traffic. When the volume of traffic is low, the ratio of actual traffic distribution is approximate. When the volume of traffic is high, the ratio of traffic handled by each netlink is closer to the ratio calculated from the link capacity. In the example below, using standard outbound load balancing could result in using the 2 Mbps link even though the 5 Mbps link may be more efficient. Using ratio-based load balancing allows Multi-Link - Firewall to take the larger link(s) into consideration to allow for a more granular and efficient use of available links. Firewall Cluster 1 Mbps 2 Mbps 5 Mbps Figure 2. Traffic is distributed according to the relative capacity of the links. 5

Standby links for high availability Standby netlinks allow organizations to define a netlink as a backup that is only activated when all primary netlinks are unavail able. This minimizes the use of netlinks that are more expensive (where the cost is based on the amount of used traffic) or otherwise less preferable, while still ensuring high availability of connectivity. To test which netlinks are available, the status of the netlinks is monitored by sending control message protocol (ICMP) echo requests (pings) through each netlink. If no response is received before the end of the defined timeout interval, the netlink is considered unavailable. Firewall Cluster Active Active Standby Firewall Cluster X Active Active Figure 3. The standby netlink is activated only if all the primary netlinks fail. As soon as one or more primary netlinks become active again, the standby netlinks are deactivated. Previously established connections continue to be handled by the deactivated netlink, but new connections are no longer sent to the standby netlink. Organizations can define multiple active netlinks and multiple standby netlinks. When load balancing is used with standby netlinks, traffic is only distributed between the netlinks that are currently active. Standby netlinks are not activated to balance the load. Organizations can use expensive traffic-based links as backup links, since in emergency situation even they become cost effective compared to having to risk attack. 6

Quality-of-Service (QoS) classes Organizations can optionally assign a QoS class to each netlink. Assigning a QoS class to a netlink specifies that traffic with the selected QoS class is routed through the selected netlink. The same QoS class can be assigned to more than one netlink. When no QoS class is assigned to a particular netlink, traffic is routed through that netlink according to the load-balancing method selected. The actual QoS classes can be assigned to specific traffic in the firewall policy or in the QoS policy based on the differentiated services code point (DSCP) codes of the incoming traffic. Figure 4 shows one example where you would use QoS with netlinks. Firewall Cluster Mission-Critical High-Priority, Low-Latency Traffic Low-Priority Traffic Low-Priority Traffic Figure 4. Email traffic can be sent over the high latency satellite connection while the VoIP traffic is sent over the low-latency links. Activating outbound Multi-Link - Firewall for selected traffic only Multi-Link - Firewall for outbound connections is implemented with network address translation (NAT) rules in the firewall policy, which makes the configuration very granular. It is not necessary for all traffic to be balanced, but the decision can be made on a rule-by-rule basis using any combination of the match fields in the firewall policy. When a NAT rule that balances outbound connections matches the traffic, only the traffic that matches the rule is balanced, and according to the settings that have been made for this specific rule only. Obviously, organizations can share the settings in multiple NAT rules, or they can define all the outbound traffic to be balanced same way. Some protocols cannot use dynamic NAT based on IP/port translation. To achieve high availability and load balancing for connections that use these protocols, organizations can use static NAT as well. When static NAT is used, the size of the source network must be the same as the size of the network used for address translation. 7

Inbound Traffic Next Generation Firewall has a built-in load balancer that can be used for distributing incoming traffic between a group of servers to balance the load efficiently and to ensure that services remain available even when a server in the pool fails. The server pool has a single external IP address that users (customers, partners, and employees) can connect to, and Next Generation Firewall then uses NAT to distribute the incoming traffic to the different servers. This does not require the use of Multi-Link - Firewall, but it can be used to improve availability by providing the connection access to the server pool through multiple connections. Organizations can also use McAfee Multi- Link with just one server in the server pool to take advantage of dynamic domain name system (DNS) updates as shown in Figure 5. When dynamic DNS updates are not used, Multi-Link - Firewall is based on assigning a different IP address for the server pool in each netlink. The server pool s DNS entry on the external DNS server must be configured with an individual IP address for each netlink so that users can access the servers through the different netlinks. When the connecting user requests the IP address for the server pool s DNS name, the DNS server sends the server pool s DNS entry with the corresponding IP addresses on the different netlinks. The user connects to one of these addresses, and Next Generation Firewall then allocates the connection to one of the server pool members. If the first server pool IP address is unreachable, the user can connect to the server pool s next IP address on a different netlink, depending on the user s application. When dynamic DNS updates are used, the firewall automatically updates the DNS entries based on the availability of the netlinks. When a netlink becomes unavailable, the server pool s IP address for that link is automatically removed from the DNS entry on the external DNS server. When the netlink becomes available, the IP address is again automatically added to the DNS entry. 8

DNS Server Reply Query Server Pool Firewall Cluster DNS Server Server Pool Firewall Cluster Selected Network DNS Server DDNS Update Server Pool Firewall Cluster Next Nextlink X Figure 5. A user connects to one of the external IP addresses given by the DNS server. If that netlink fails, the user can connect to the next external IP address. Optionally, dynamic DNS can be used to update the DNS entries accordingly. 9

VPN Traffic Using Multi-Link - Firewall enhances the reliability of the VPN communications by offering any-toany connectivity with several ISP connections. Multi-Link - Firewall can balance the VPN traffic between multiple network links and fail-over when a link goes down. This reduces the possibility of link congestion or ISP network connectivity breaks and enables always-on connectivity. Multi-Link has significantly improved the reliability and capacity utilization of our VPN lines. This creates considerable time savings for the employees in our IT department and optimizes the costs for the company. This feature is specific to McAfee, a part of Intel Security. To obtain the full benefits from this technology, Next Generation Firewall must be placed on each side of the connection. If a thirdparty gateway supports configuring multiple VPN tunnels between two devices, organizations can still take advantage of Multi-Link Firewall's benefits, but this may limit the capabilities to the events that can be controlled by Next Generation Firewall. Compared to other solutions, our new solutions allow for the dynamic adoption of VPN tunnels, says Susanne Wesner, technical manager at meetyou conferencing GmbH. Additionally, the configuration process can be carried out according to the second-set-of-eyes principle this increases security with an additional inspection level. In a Multi-Link - Firewall configuration, VPN traffic can use one of multiple alternative tunnels to reach the same destination. This ensures that even if one or more tunnels fail, VPN service continues as long as there is at least one tunnel available. David Ong Head of IT Cura Group Firewall Cluster ISP 1 ISP 4 Firewall Cluster LAN A ISP 2 ISP 5 LAN B ISP 3 LEASED LINE Figure 6. Multi-Link - Firewall VPN configurations use, MPLS, and leased-line connections transparently. Some tunnels can be defined as standby, like the leased line in this example. Multi-Link - Firewall VPN can be used between two Next Generation Firewalls when one or both gateways use(s) multiple network connections. Some of the connections can be defined as backup links for VPN traffic, so that they are only used if the active tunnels fail. The standby selection in a VPN is independent from other VPN configurations, so other VPNs can still use those connections continuously. The standby setting is not tied to a particular ISP (netlink) either. For example, in Figure 6, the tunnel between ISP1 and ISP4 could be standby while the tunnel between ISP1 and ISP5 is active. It is also possible to define certain traffic to use a certain tunnel (or set of tunnels) by default. For example, VoIP and video conferencing could be defined to use the MPLS connection primarily, but the connections would still be used as a backup if the MPLS is down for any reason. Even when the fail-over occurs from the MPLS to the links, it is completely transparent to users, as the existing VoIP and video conferencing sessions are maintained. VPN traffic is balanced between the tunnels based on the link availability checks on each VPN tunnel. If one of the links fails or becomes congested, the VPN traffic is routed through the other tunnels.

Standby tunnels are used if all active tunnels become unavailable. Individual tunnels can also be completely disabled so that they are not used for that specific VPN under any conditions. Remote users accessing the corporate network via VPN client software can also benefit from Multi-Link - Firewall technology. If one of the gateway links fails, the VPN client connects to the next available netlink. For more information, visit multilink.internetworking.ch McAfee. Part of Intel Security. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc. Inter-Networking AG (Switzerland) Bahnhofplatz 11 Postfach 8953 Dietikon www.internetworking.ch

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information