High Availability, Security, Scalability and Business Continuity for
Critical Applications

• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
2 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• High Availability
 Resource Down Implies Service Down – Tight Linkage to Service Availability
 Poor Recovery and Fault Tolerance from Traditional Clustering
 No Service Resilience During Disasters – Need for Datacenter Redundancy
• Security
 Increasing Threat from Sophisticated and High-Speed Attacks
 Minimal Security Built into Traditional Servers and Applications
• Scalability and Performance
 Scalability Requires Massive Servers and Forklift Upgrades
 Sub-Optimal Resource Utilization and Poor Service Response Time
 Performance and Bandwidth Bottlenecks for SSL-Enabled Web Applications
• Manageability
 Application and Server Proliferation Contributes to Complexity
 Operational Changes Disruptive to Service
3 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.


Superior Application Switching, Security Performance and Scalability

On-Demand and Scalable Web Acceleration and Optimization

Transparent High Performance Web and Non-Web Application Switching

Investment Protection for Servers and Layer 4-7 Switches
E-Mail Servers
Layer 4-7 Application
Switches
Web Browsers
Web Servers
Financial App
Servers
Mobile and
Wireless Users
DoS Attack
Prevention
FTP
Data Storage and
Database
Internet and
Intranet Users
4
SSL Accelerators, Bandwidth
Optimizers and Web Caches
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.


Efficient Load Balancing

Granular Server and Application
Health Checking

Advanced Content Switching

URL, Cookies, SSL ID,
HTTP Header, XML, Others

Graceful Shutdown and Slow
Start for Server Management

Server Connection Offload with
HTTP Persistent Connections

Transparent Support for any IP
Application – TCP, UDP, Others

High Availability Load Balancing with Rapid Stateful Failover

Inbound or Outbound Caches
Virtual Application Infrastructure
Server Farm
Application
Switching
Web Apps
Add a New
Server to Pool
Financial Apps
Transparently
Remove
Server from
Available Pool
Health
Check Fails
Layer 4-7
Switch
ERP Apps
5 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.


Dedicated Accelerators Co-Deployed with
Application Switches or Embedded within them

SSL Acceleration and Termination

Layer 7 Persistence for SSL Traffic

Transparent HTTP Compression

Centralized Certificate Management

Accelerator Scalability with Load Balancing and Failover

Protection against Accelerator Failures –
Rapid Failover and Automatic Failure
Detection
Virtual Application Infrastructure
Application
Switching
Application
Switches
Server Farm
Web Apps
Email
Financial Apps
ERP Apps
SSL Accelerators
6 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.


Geographic Scalability for Critical
Applications


Multi-Site Redundancy and Disaster
Recovery
Optimized Performance and End-User
Response Time by Localizing Traffic

Transparently Leverage Existing DNS

Select Best Site for User Based on a
Range of GSLB Policies

Direct Users to the Selected Site by
Returning Site IP in DNS Response

Re-Direct Users to Available Sites
GSLB Controller
ADNS Server
2 2
LDNS #1 LDNS #2
3 3
1 4 1 4
5
Application Switches
Using
GSLB Protocol
5
User Group
7
Real Servers
Datacenter #1
Foundry Networks Confidential and Proprietary
Real Servers
Datacenter #2
User Group
December 2004 © 2004 Foundry Networks, Inc.

•
Direct User Requests to the Nearest Available Site
•
Primary/Backup Datacenter Operation with Automatic Site Failover
•
Totally Transparent (Leverages Standards-Based Routing Protocols)
•
Optimized Performance and End-User Response by Localizing Traffic
•
Rapid Service Restoration During Datacenter Failures
Primary Datacenter
Critical
Applications
Application
Switches
Disaster
Health Monitor
Internet /
Extranet
Disaster Recovery Site
Application
Switches
Critical
Applications
8
Users
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

Enterprise
Network
Router #1
ISP1
Router #2
Load Balancer
Router #3
ISP2
ISP3
Internet
• Utilize all available ISP links simultaneously
• Intelligently balance traffic to achieve optimal utilization
• Gain leverage for price and service
• Aggregate low-capacity links to create “fat” virtual links
9 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
10 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Application Level Threats are the New Menace
 Denial of Service Attacks (@ Wire-Speed Gigabit Rates)
 Viruses, Worms, Illegal Content Spreading via Application Messages
 Application Resource Abuse
 E-Mail SPAM
• Key Challenges to Defeating these Threats
 Host-Based Approaches are Inadequate and Poor to Scale
 Traditional Network Security is NOT Application Aware
 Traditional Firewalls Not Designed for High-Performance Protection
 Lack of Visibility into the Network
• Layer of Defense for Server Farm and Applications Required
 Purpose-Built Layer 4-7 Application Switches Provide this Defense
11 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.


Denial of Service Attack Protection
 with SYN-Guard

Application Level Rate Limiting of
Server and Client Connections
SPAM Protection and Mitigation with
Spam-Def

Always-On sFlow Traffic Monitoring

Virus and Worm Protection with
Content Inspection and Filtering

High Performance ACL and NAT

Peak Application Performance while
Under Attack
Hardware based Security - Peak Application Performance Under Attack
Hacker
Multi-Gigabit
Rate Denial of
Service Attack
Virtual Application Infrastructure
Blocked
Application
Messages
Miss-Critical
Application Servers
IP
Networ k
Application
Switch
Legitimat e Client
12
Legitimate Traffic
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

Server A
Application Switch
Complete
C1
C2
1
2
3
TCP SYN
TCP SYN ACK – Special SEQ
TCP ACK – Special SEQ
1
2
3
TCP SYN
TCP SYN ACK – Special SEQ
BAD TCP ACK – Special SEQ
NO
TCP Connection
Server B
Protects Server from Attack
• ServerIron’s Connection Proxy and Smart SYN-Cookie Protects Against
TCP ACK Attacks
• Offers Firewall Protection when Deployed in Front of Firewalls
• Protects against SYN and ACK Flood Attacks
13 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Goal: Block as Much SPAM as Possible @ the Network
 Minimizes Scope of the Problem by Substantially Reducing SPAM
 Makes the Problem Manageable with Reasonable Resources at the
Host Level
• Key Requirements: Dynamic Policy Enforcement
 SPAM Lists Could Run into Millions – Scalability is Critical
 Lists are Subject to Change – Frequent Download
 No Open Windows of Opportunity for Spammers
• Scalability and High Availability of Content Solutions
 Host-Based Solutions will Always be Necessary
 Targeted Processing Critical to Scale and not go Bankrupt
 Intelligent Switching and Load Balancing Brings Sanity
14 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
15 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Network Perimeter as we knew it is Disappearing
 Mobility, Convergence, Remote Access, Growing Internal Threats
 Need for Security Everywhere in the Network
• Well Established and Agreed Role of Network to Deliver Security
 Organizations are Gravitating Towards Network-Based Security
Solutions
 Protection for Infrastructure, Services, Critical Resources
• Moving Beyond the Firewall Without Giving Up on Firewalls
 Enterprises Endorse the Need for Solutions that Augment Firewalls
 Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly
• Emerging Vision/Trend of Network-Wide Security is Catching On
 Network Integration is Seen as Inevitable and Required
 Solutions that Promote Incremental Steps are Needed
• Growing Attacks and Threats in Content and Service Provider
Infrastructure – These Customers Can’t Rely on Firewalls
16 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

Wire Speed LAN Switching Security
-L2/L4 DoS Attack Prevention
Port, CPU, VLAN, & Rogue Protection sFlow based Anomaly IPS Solution
-Zero-Day Solution
-Interface to Network Mgmt. for Remediation
Anomaly Based IPS
- External Collector, Analyzer
- External Closed-Loop Interface
Network Manager
Web & Application Servers sFlow
From Switches
Edge Port Remediation
Web & Application Servers
Internet
Security Traffic Manager
(Perimeter Security)
Secure LAN Switch
(Server Farm Protection)
Security Traffic Manager
(In-Line Inside LAN Protection)
Radius
NAC Server
Secure LAN Switch
(Direct Desktop Protection) sFlow
Network Admission Control
Agents on the Desktops
Security Traffic Mgr. and LAN Switch
-Signature based IPS and More
17
Network Admission Control Agents on the Desktops
Application Security and Protection
-Web and URL Security
-Network-based SPAM, DNS and VoIP Security
December 2004 © 2004 Foundry Networks, Inc.

Perimeter
Traditional Firewall
WA
N
Enterpris e Core
In-Line Security
Switch
•
Most Firewalls DO NOT
 Provide Robust and High Performance
DoS
 Offer Wire-Speed ACLs
 Perform Deep Packet Inspection
 Offer High Performance Stateful NAT
 Deliver Application Specific Security
Protection
• Some Firewall Vendors Position L7
Intrusion Devices Behind the Firewalls
• Security Switch Fits In Front of Firewalls to
Offload and Augment
 Delivers Wire-Speed L2/3 and Multi-
Gigabit L4-7 Security
18 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

Position it as Internal Firewall in the Enterprise Network
Aggregation Layer –
Against Likes of CheckPoint InterSpect
L4-7 Security
Switch
Poor Performance and Steep Price for
Minimal Features, and PC Inside the
Network
Superior Performance, Switch
Architecture, Total Security Features at
Attractive LAN Switch Pricing
SecureIron Traffic Manager Provides High Density Gigabit Aggregation and 10 Gigabit Network Connectivity
19 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Statistical Sampling Delivers
Visibility to All Traffic Flows
Throughout the Network
 Layer 2 through 7 visibility and analysis
• Scales with Network Size and
Speeds with no Performance
Impact
 Technology must be able to
Scale to GbE and 10 GbE rates
• Embedded implementations available today – Free!
20 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.

• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
21 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.