Whitepaper. StoneGate Multi-Link. Ensuring Always-on Connectivity with Significant Savings



Similar documents
White Paper. McAfee Multi-Link. Always-on connectivity with significant savings

Multi-Link - Firewall Always-on connectivity with significant savings

Whitepaper. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

Whitepaper. ISP Redundancy. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

Achieving Network Nirvana

StoneGate. High Availability Firewall and Multi-Link VPN. Security Availability Manageability Scalability

WAN Traffic Management with PowerLink Pro100

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Stonesoft Augmented VPN WITH MULTI-LINK TECHNOLOGY

A Guide to WAN Application Delivery for the SME Market

Stonesoft Case Study. Brown McCarroll. An Upgrade to StoneGate Simplifies Operations for Law Firm Brown McCarroll

A Link Load Balancing Solution for Multi-Homed Networks

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Everything You Need to Know About Network Failover

Business Continuity and Disaster Recovery the WAN is a Strategic Component

Managing SIP-based Applications With WAN Optimization

Assuring Your Business Continuity

White Paper. Complementing or Migrating MPLS Networks

Avoid Network Outages Within SaaS and Cloud Computing Environments

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

FatPipe Networks

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Remote Firewall Deployment

ECESSA. White Paper. Optimize Your Network on a Limited IT Budget

November Defining the Value of MPLS VPNs

Truffle Broadband Bonding Network Appliance

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

The Hybrid Enterprise. Enhance network performance and build your hybrid WAN

Application Note. Cell Janus Load Balancing Algorithms Technical Overview

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Inspection of Encrypted HTTPS Traffic

TRUFFLE Broadband Bonding Network Appliance. A Frequently Asked Question on. Link Bonding vs. Load Balancing

TRUFFLE Broadband Bonding Network Appliance BBNA6401. A Frequently Asked Question on. Link Bonding vs. Load Balancing

Optimal Network Connectivity Reliable Network Access Flexible Network Management

WHITE PAPER: Broadband Bonding for VoIP & UC Applications. In Brief. mushroomnetworks.com. Applications. Challenge. Solution. Benefits.

Redundancy for Corporate Broadband

Layer-2 Design: Link Balancers Simplified

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

Barracuda Link Balancer

Optimal Network Connectivity Reliable Network Access Flexible Network Management

About Firewall Protection

Improving Network Efficiency for SMB Through Intelligent Load Balancing

MPLS: Key Factors to Consider When Selecting Your MPLS Provider

White Paper: Broadband Bonding with Truffle PART I - Single Office Setups

PREPARED FOR ABC CORPORATION

VPNC Interoperability Profile

Fault Tolerance, Security, Speed for Private or Public WANs

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

Voice over IP Networks: Ensuring quality through proactive link management

Multi-protocol Label Switching

VPN Only Connection Information and Sign up

Configuring IP Load Sharing in AOS Quick Configuration Guide

How To Get More Bandwidth From Your Business Network

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

Broadband Bonding Network Appliance TRUFFLE BBNA6401

Deploying in a Distributed Environment

Reliable high throughput data connections with low-cost & diverse transport technologies

Evaluating Bandwidth Optimization Technologies: Bonded Internet

WAN Optimization Integrated with Cisco Branch Office Routers Improves Application Performance and Lowers TCO

LOAD BALANCING WHITE PAPER OPTIONS FOR HANDLING MULTIPLE ISP LINES AT HOTELS

Gigabit Multi-Homing VPN Security Router

SingTel MPLS. The Great Multi Protocol Label Switching (MPLS) Migration

McAfee Next Generation Firewall

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Executive Overview 3. Case Study 1: Augmented Connections 3. Case Study 2: Augmented Bandwidth 5

Whitepaper. The Hidden Challenges of Securing a Virtual Environment

Firewall Defaults and Some Basic Rules

VMware vcloud Air Networking Guide

Using Microsoft Active Directory Server and IAS Authentication

Private Cloud Solutions Virtual Onsite Data Center

Enterprise Edge Communications Manager. Data Capabilities

Improving Network Uptime

MITEL. NetSolutions. Flat Rate MPLS VPN

Why an Intelligent WAN Solution is Essential for Mission Critical Networks

White Paper: Virtual Leased Line

FatPipe Networks

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Common Application Guide

Broadband Bonding Network Appliance TRUFFLE BBNA6401

DOMINO Broadband Bonding Network

Unifying the Distributed Enterprise with MPLS Mesh

How to cut communications costs by replacing leased lines and VPNs with MPLS

Gigabit Content Security Router

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

Appendix C Network Planning for Dual WAN Ports

Guideline for setting up a functional VPN

Best Practices: The Key Things You Need to Know Now About Secure Networking Layer 1 (SONET), Layer 2 (ATM), and Layer 3 (IP) Encryption Technologies

FortiBalancer: Global Server Load Balancing WHITE PAPER

BroadCloud PBX Customer Minimum Requirements

Tagesordnung WIN/IP-Forum

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

LOAD BALANCING WHITE PAPER OPTIONS FOR HANDLING MULTIPLE ISP LINES AT HOTELS

Delivering Dedicated Internet Access (DIA) and IP Services with Converged L2 and L3 Access Device

Multi-Homing Security Gateway

Link Controller ENSURES RELIABLE NETWORK CONNECTIVITY

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

IP Telephony Deployment Models

Chapter 12 Supporting Network Address Translation (NAT)

Transcription:

Ensuring Always-on Connectivity with Significant Savings

Contents Executive Summary.................................................. 3 How Multi-Link Works................................................ 4 Inbound Traffic....................................................... 9 VPN Traffic.........................................................11 A Proven Technology Driving Customer Successes.....................13 2 of 15

Executive Summary In today s 24x7x365 world, virtually every type and size organization depends on always-on network connectivity. Service interruptions can mean lost revenue when an online trading company can t execute orders, lost clients for a law firm if their attorneys can t file briefs in time, or even lost lives if critical patient data is not immediately available when needed. According to Infonetics*, organizations are losing as much as 2.2 percent of their annual revenue due to downtime. Whether communicating with customers, partners or employees, organizations rely on continuous connectivity anytime, anywhere. Traditionally, connections provided by Internet links have been a single point of failure. In order to eliminate this risk, organizations have resorted to complicated and costly solutions such as redundant systems, separate failover or standby products, complex protocols like Border Gateway Protocol (BGP), and different connection types like Multi-protocol Label Switching (MPLS) and Frame Relay. Now there s a better approach. Stonesoft s patented technology built in with its suite of StoneGate Firewall/VPN solutions is ideal for providing organizations with highly available Internet connectivity in a simple, straightforward and cost-effective manner. If one line fails, traffic is automatically switched over to the remaining links. When a complicated solution like BGP or separate Wide Area Network (WAN) load balancer solutions are not required, there is no need for the BGP capable routers or additional layer of load balancing hardware either, which not only mean cost savings but also simplified infrastructure. Multi-Link technology can integrate with any type of connection to ensure inbound, outbound and VPN traffic is delivered securely through the fastest connections without incident or disruptive downtime. Multi-Link can accommodate Digital Subscriber Lines (DSL), leased lines, cable modems, satellite, and even WAN links such as point-to-point, MPLS, and Frame Relay. As a result, organizations gain the flexibility to deploy any type or number of connections that are best suited for their environment and their budget. Combined with StoneGate s active load balancing, and Quality of Service (QoS) capabilities, Multi- Link also optimizes networks and supports emerging technologies, such as Voice over IP (VoIP) and video conferencing. As a result, organizations can gain granular control of their networks and ensure the availability of applications that are mission-critical to their operations. *Infonetics: The Cost of Enterprise Downtime, 2007 3 of 15

How Multi-Link Works Outbound Traffic A single connection to the Internet is a single point of failure. If the connection becomes unavailable, all outbound traffic is blocked. To prevent this, Stonesoft s patented Multi-Link technology distributes outbound traffic between multiple network connections. Multi-Link ensures that Internet connectivity remains available even if one or more network connections fail. The StoneGate Firewall/VPN can also load balance outbound traffic between the network connections to use the available Internet connection capacity more efficiently. Organizations can use Multi-Link on both single and clustered firewalls. The network connections for Multi-Link are represented by netlink elements in the StoneGate Management Center. In most cases, a netlink element is used to represent an Internet Service Provider (ISP) connection. However, netlinks can also represent a leased line, xdsl or any other type of network connection mediated by the firewall. 4 of 15

Load Balancing Load balancing can be based on two methods: round trip time and ratio. When the round trip time method is used, netlink performance is measured for each new Transmission Control Protocol (TCP) connection by sending the initial request (SYN) to the destination through all the available netlinks. When the destination host sends the reply (SYN-ACK), the netlink that receives the reply first is used to complete the TCP connection establishment. The firewall cancels the slower connection attempts by sending a TCP Reset (RST) to the destination through the other netlinks. This way, the fastest route is selected automatically for each connection based on the round trip time measurement. Information about the performance of each netlink is cached, so no new measurement is made if a new connection is opened to the same destination within a short time period. INTERNET INTERNET INTERNET LAN LAN LAN Figure 1. Selecting the fastest netlink for outbound connections 5 of 15

There are, however, times when a ratio method may be preferred. For example, if one ISP s bandwidth far exceeds other connections being used and is supplemented by smaller ISP s, the smaller ISP may return a faster SYN-ACK. While this may seem like the fastest connection, it may not take into account the proportionate bandwidth available. StoneGate Multi-link can resolve this by using a ratio method. When the ratio method is used, traffic is distributed between all of the available netlinks according to the relative capacity of the links. The bandwidths of the other netlinks are automatically compared to the bandwidth of the netlink with the most bandwidth to produce a ratio for distributing the traffic. When the volume of traffic is low, the ratio of actual traffic distribution is approximate. When the volume of traffic is high, the ratio of traffic handled by each netlink is closer to the ratio calculated from the link capacity. In the example below, using standard outbound load balancing could result in using the 2 Mpbs link even though the 5 Mpbs may be more efficient. Using ratio-based load balancing allows Multi- Link to take the larger link(s) into consideration to allow for a more granular and efficient use of links available. Internet 1 Mbps 2 Mbps 5 Mbps LAN Figure 2. Traffic is distributed according to the relative capacity of the links 6 of 15

Standby Links for High Availability Standby netlinks allow organizations to define a netlink as a backup that is only activated when all primary netlinks are unavailable. This minimizes the use of netlinks that are more expensive, where the cost is based on the amount of used traffic, or otherwise less preferable, while still ensuring high availability of Internet connectivity. To test which netlinks are available, the status of the netlinks is monitored by sending Internet Control Message Protocol (ICMP) Echo Requests (ping) through each netlink. If no response is received before the end of the timeout interval defined, the netlink is considered unavailable. Figure 3. The standby netlink is activated only if all the primary netlinks fail. As soon as one or more primary netlinks become active again, the standby netlinks are deactivated. Previously established connections continue to be handled by the deactivated netlink, but new connections are no longer sent to the standby netlink. Organizations can define multiple active netlinks and multiple standby netlinks. When load balancing is used with standby netlinks, traffic is only distributed between the netlinks that are currently active. Standby netlinks are not activated to balance the load. Organizations can use expensive traffic-based links as backup links, since in emergency situation even they become cost-effective compared to having to risk attack. 7 of 15

QoS Classes Organizations can optionally assign a QoS class to each netlink. Assigning a QoS class to a netlink specifies that traffic with the selected QoS class is routed through the selected netlink. The same QoS class can be assigned to more than one netlink. When no QoS class is assigned to a particular netlink, traffic is routed through that netlink according to the load balancing method selected. The actual QoS classes can be assigned to specific traffic in the firewall policy or in the QoS policy based on the Differentiated Services Code Point (DSCP) codes of the incoming traffic Figure 4 shows one example why to use QoS with netlinks. Internet LAN Figure 4. Email traffic can be sent over the high-latency satellite connection while the VoIP traffic is sent over the low-latency links. Activating Outbound Multi-Link for Selected Traffic Only Multi-Link for outbound connections is implemented with Network Address Translation (NAT) rules in the firewall policy, which makes the configuration very granular. It is not necessary for all traffic to be balanced, but the decision can be made on a rule-by-rule basis using any combination of the match fields in the firewall policy. When a NAT rule that balances outbound connections matches the traffic, only the traffic that matches the rule is balanced, and according to the settings that have been made for this specific rule only. Obviously, organizations can share the settings in multiple NAT rules, or they can define all the outbound traffic to be balanced same way. Some protocols cannot use dynamic NAT based on IP/port translation. To achieve high availability and load balancing for connections that use these protocols, organizations can use static NAT as well. When static NAT is used, the size of the source network must be the same as the size of the network used for address translation. 8 of 15

Inbound Traffic The StoneGate server pool is a built-in load balancer in the firewall that can be used for distributing incoming traffic between a group of servers to balance the load efficiently and to ensure that services remain available even when a server in the pool fails. The server pool has a single external IP address that users (customers, partners and employees) can connect to and StoneGate then uses NAT to distribute the incoming traffic to the different servers. The server pool itself does not require the use of Multi-Link, but it can be used to improve server pool availability by providing the connection access to the server pool through multiple Internet connections. Organizations can also use Multi-Link with just one server in the server pool to take advantage of dynamic Domain Name System (DNS) updates as explained in Figure 5. 9 of 15

When dynamic DNS updates are not used, Multi-Link is based on assigning a different IP address for the ser ver pool in each netlink. The server pool s DNS entry on the external DNS server must be configured with an individual IP address for each netlink so that users can access the ser vers through the different netlinks. When the connecting users requests the IP address for the server pool s DNS name, the DNS server sends the server pool s DNS entry with the corresponding IP addresses on the different netlinks. The user connects to one of these addresses and StoneGate then allocates the connection to one of the server pool members. If the first server pool IP address is unreachable, the user can connect to the server pool s next IP address on a different netlink, depending on the user s application. When dynamic DNS updates are used, the firewall automatically updates the DNS entries based on the availability of the netlinks. When a netlink becomes unavailable, the server pool s IP address for that link is automatically removed from the DNS entry on the external DNS server. When the NEXT NET LINK SE NE LEC TW TE OR D K ER Y RE QU PL Y netlink becomes available, the IP address is again automatically added to the DNS entry. FAILURE Figure 5. A customer connects to one of the external IP addresses given by the DNS server. If that netlink fails, the customer can connects to the next external IP address. Optionally, dynamic DNS can be used to update the DNS entries accordingly. 10 of 15

VPN Traffic Using Multi-Link enhances the reliability of the VPN communications by offering any-to-any connectivity with several Internet service provider connections. Multi-Link can balance the VPN traffic between multiple network links and fail over when a link goes down. This reduces the possibility of link congestion or ISP network connectivity breaks and enables always-on connectivity. Please note that Multi-Link is a StoneGate-specific feature supported only with StoneGate gateways at both ends. If a third party gateway allows configuring multiple VPN tunnels between two devices, organizations can still take advantage of StoneGate Multi-Link s benefits to the extent that the events can be controlled by StoneGate appliances. In a Multi-Link configuration, the VPN traffic can use one of multiple alternative tunnels to reach the same destination. This ensures that even if one or more tunnels fail, the VPN service continues as long as there is at least one tunnel available. Figure 6. Multi-Link VPN configurations utilize Internet, MPLS and leased line connections transparently. Some tunnels can be defined as standby, like the leased line in this example. 11 of 15

Multi-Link VPN can be used between two StoneGate gateways when one or both gateways use multiple network connections. Some of the connections can be defined as backup links for VPN traffic, so that they are only used if the active tunnels fail. The standby selection in a VPN is independent from other VPN configurations, so other VPNs can still use those connections continuously. The standby setting is not tied to a particular ISP (netlink) either. For example, in Figure 6 on the previous page, the tunnel between the ISP1 and ISP4 could be standby while the tunnel between the ISP1 and ISP5 is active. It is also possible to define certain traffic to use a certain tunnel (or set of tunnels) by default. For example, VoIP and video conferencing could be defined to use the MPLS connection primarily but the Internet connections would still be used as a backup if the MPLS is down for any reason. Even when the fail over occurs from the MPLS to the Internet links, it is completely transparent to the users as the existing VoIP and video conferencing sessions are maintained. VPN traffic is balanced between the tunnels based on the link availability checks on each VPN tunnel. If one of the links fails or becomes congested, the VPN traffic is routed through the other tunnels. Standby tunnels are used if all active tunnels become unavailable. Individual tunnels can be also completely disabled so that they are not used for that specific VPN under any conditions. StoneGate VPN clients, used, for example by remote workers, can also use Multi-Link. If one of the gateways links fails, the VPN client connects to the next available netlink. 12 of 15

A Proven Technology Driving Customer Successes In today s always-on world, organizations expect their connections to be available 100 percent of the time. With the goal of cost-effective, continuous connectivity in mind, many organizations have found the answer with Stonesoft s patented Multi-Link technology that is built in to the StoneGate Firewall/VPN solutions. Here are just a few examples of the customer successes using Stonesoft s Multi-Link technology. Wise Business Forms, a leading print manufacturer, implemented StoneGate Firewall/VPN solution with Multi-Link technology to easily integrate disparate office connections and significantly improve network performance and security. The deployment enabled Wise to successfully move from a Multi-Protocol Label Switching (MPLS) connection to a combination of more cost-effective ISP connections. As a result of the superior connectivity, ease of deployment and administration, and security advancements, Wise expects to record a Return on Investment, (ROI) within 16 months of implementing the StoneGate solution. When Canadian MedicAlert launched its online portal and electronic Personal Health Record in 2005, the organization required a solution that could ensure constant network access. The IT staff found that Stonesoft s Multi-Link technology could support multiple ISP failover connections and ensure fault tolerant inbound and outbound Internet access. Stonesoft not only offered MedicAlert a savings by eliminating the cost and complexities associated with a Border Gateway Protocol (BGP) setup, but it also provided a comprehensive fully integrated security platform to meet their requirements for patient data protection. Plaza Construction, the largest construction management organization in the New York metropolitan area, relies on its ability to maintain constant data communications from its remote construction sites to its headquarters. At rugged constructions sites, communication lines are frequently cut or moved causing potential lapses in connectivity with client-server based business applications. The company implemented the StoneGate solution with separate XDSL and cable modem connections. If a line is cut, Plaza Construction can maintain the VPN connection with session fail-over, which is transparent to the user. In addition, large file transfers are completed faster with more aggregate bandwidth available at the job site. 13 of 15

Conyers Dill & Pearman, an off-shore based law firm based in Bermuda, needed a networking solution to ensure continuous business uptime and minimize the difficulties of managing a complex distributed network. The firm chose the StoneGate Firewall/VPN solution with Multi- Link technology to guarantee always-on connectivity across its branch locations and enhance network performance. In addition, the firm significantly reduced overall IT costs by clustering the StoneGate Firewall/VPN s at each location and centrally managing network security updates from headquarters. When Grupo Posadas, a leading Latin American hotel company, acquired Grupo Mexicana airline and GloboGo, an online travel reservation company, it became even more important for the company to ensure network uptime, security and manageability. Grupo Posadas chose the StoneGate Firewall/VPN solution with Multi-Link technology for its automatic failover capabilities. With the StoneGate Management Center, the company gained more in-depth visibility into network traffic and improved network security and threat prevention. With Multi-Link, these organizations are able to reduce the costs associated with maintaining always-on connectivity. Even more importantly, they can mitigate the productivity and financial risks inherent in network downtime ranging from customer, partner and employee dissatisfaction if they can t access critical applications and services to loss of corporate credibility. 14 of 15

About Stonesoft Stonesoft Corporation (NASDAQ OMX: SFT1V) delivers proven, innovative solutions that simplify network security management for even the most complex network environments. The award-winning StoneGate Platform unifies firewall, VPN, IPS and SSL VPN, blending integrated threat management, end-to-end high availability and network optimization, into a centrally controlled system. As a result, Stonesoft provides an unparalleled level of proactive security, always-on connectivity and compliance at the lowest total cost of ownership on the market today. Founded in 1990, the company is an established leader in network security innovation with corporate headquarters in Helsinki, Finland and Americas headquarters in Atlanta, Georgia. For more information, visit www. stonesoft.com. About the Author Pentti Lehtinen is technical director for Stonesoft Inc. He has more than 18 years of experience in information technology, including nearly a decade focused on information security. He has worked for Stonesoft since 1998, with roles in product management, pre-sales, technical support, product training, and R&D. Prior to moving to Atlanta, he was the director, product management at Stonesoft s corporate headquarters in Helsinki, responsible for the strategic direction of Stonesoft s expanding StoneGate product portfolio and managing technology and OEM partnerships. Lehtinen is a certified information systems security professional (CISSP). www.stonesoft.com Stonesoft Corporation International Headquarters Itälahdenkatu 22 A Fl-0021O Helsinki Finland tel. +358 9 4767 11 fax. +358 9 4767 1234 Stonesoft Inc. Americas Headquarters 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338, USA tel. +1 866 869 4075 fax. +1 770 668 1131 Copyright 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change. Public 01/09 15 of 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information