High Availability, Security, Scalability and Business Continuity for
Critical Applications
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
2 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• High Availability
Resource Down Implies Service Down – Tight Linkage to Service Availability
Poor Recovery and Fault Tolerance from Traditional Clustering
No Service Resilience During Disasters – Need for Datacenter Redundancy
• Security
Increasing Threat from Sophisticated and High-Speed Attacks
Minimal Security Built into Traditional Servers and Applications
• Scalability and Performance
Scalability Requires Massive Servers and Forklift Upgrades
Sub-Optimal Resource Utilization and Poor Service Response Time
Performance and Bandwidth Bottlenecks for SSL-Enabled Web Applications
• Manageability
Application and Server Proliferation Contributes to Complexity
Operational Changes Disruptive to Service
3 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Superior Application Switching, Security Performance and Scalability
On-Demand and Scalable Web Acceleration and Optimization
Transparent High Performance Web and Non-Web Application Switching
Investment Protection for Servers and Layer 4-7 Switches
E-Mail Servers
Layer 4-7 Application
Switches
Web Browsers
Web Servers
Financial App
Servers
Mobile and
Wireless Users
DoS Attack
Prevention
FTP
Data Storage and
Database
Internet and
Intranet Users
4
SSL Accelerators, Bandwidth
Optimizers and Web Caches
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Efficient Load Balancing
Granular Server and Application
Health Checking
Advanced Content Switching
URL, Cookies, SSL ID,
HTTP Header, XML, Others
Graceful Shutdown and Slow
Start for Server Management
Server Connection Offload with
HTTP Persistent Connections
Transparent Support for any IP
Application – TCP, UDP, Others
High Availability Load Balancing with Rapid Stateful Failover
Inbound or Outbound Caches
Virtual Application Infrastructure
Server Farm
Application
Switching
Web Apps
Add a New
Server to Pool
Financial Apps
Transparently
Remove
Server from
Available Pool
Health
Check Fails
Layer 4-7
Switch
ERP Apps
5 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Dedicated Accelerators Co-Deployed with
Application Switches or Embedded within them
SSL Acceleration and Termination
Layer 7 Persistence for SSL Traffic
Transparent HTTP Compression
Centralized Certificate Management
Accelerator Scalability with Load Balancing and Failover
Protection against Accelerator Failures –
Rapid Failover and Automatic Failure
Detection
Virtual Application Infrastructure
Application
Switching
Application
Switches
Server Farm
Web Apps
Financial Apps
ERP Apps
SSL Accelerators
6 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Geographic Scalability for Critical
Applications
Multi-Site Redundancy and Disaster
Recovery
Optimized Performance and End-User
Response Time by Localizing Traffic
Transparently Leverage Existing DNS
Select Best Site for User Based on a
Range of GSLB Policies
Direct Users to the Selected Site by
Returning Site IP in DNS Response
Re-Direct Users to Available Sites
GSLB Controller
ADNS Server
2 2
LDNS #1 LDNS #2
3 3
1 4 1 4
5
Application Switches
Using
GSLB Protocol
5
User Group
7
Real Servers
Datacenter #1
Foundry Networks Confidential and Proprietary
Real Servers
Datacenter #2
User Group
December 2004 © 2004 Foundry Networks, Inc.
•
Direct User Requests to the Nearest Available Site
•
Primary/Backup Datacenter Operation with Automatic Site Failover
•
Totally Transparent (Leverages Standards-Based Routing Protocols)
•
Optimized Performance and End-User Response by Localizing Traffic
•
Rapid Service Restoration During Datacenter Failures
Primary Datacenter
Critical
Applications
Application
Switches
Disaster
Health Monitor
Internet /
Extranet
Disaster Recovery Site
Application
Switches
Critical
Applications
8
Users
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Enterprise
Network
Router #1
ISP1
Router #2
Load Balancer
Router #3
ISP2
ISP3
Internet
• Utilize all available ISP links simultaneously
• Intelligently balance traffic to achieve optimal utilization
• Gain leverage for price and service
• Aggregate low-capacity links to create “fat” virtual links
9 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
10 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Application Level Threats are the New Menace
Denial of Service Attacks (@ Wire-Speed Gigabit Rates)
Viruses, Worms, Illegal Content Spreading via Application Messages
Application Resource Abuse
E-Mail SPAM
• Key Challenges to Defeating these Threats
Host-Based Approaches are Inadequate and Poor to Scale
Traditional Network Security is NOT Application Aware
Traditional Firewalls Not Designed for High-Performance Protection
Lack of Visibility into the Network
• Layer of Defense for Server Farm and Applications Required
Purpose-Built Layer 4-7 Application Switches Provide this Defense
11 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Denial of Service Attack Protection
with SYN-Guard
Application Level Rate Limiting of
Server and Client Connections
SPAM Protection and Mitigation with
Spam-Def
Always-On sFlow Traffic Monitoring
Virus and Worm Protection with
Content Inspection and Filtering
High Performance ACL and NAT
Peak Application Performance while
Under Attack
Hardware based Security - Peak Application Performance Under Attack
Hacker
Multi-Gigabit
Rate Denial of
Service Attack
Virtual Application Infrastructure
Blocked
Application
Messages
Miss-Critical
Application Servers
IP
Networ k
Application
Switch
Legitimat e Client
12
Legitimate Traffic
Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Server A
Application Switch
Complete
C1
C2
1
2
3
TCP SYN
TCP SYN ACK – Special SEQ
TCP ACK – Special SEQ
1
2
3
TCP SYN
TCP SYN ACK – Special SEQ
BAD TCP ACK – Special SEQ
NO
TCP Connection
Server B
Protects Server from Attack
• ServerIron’s Connection Proxy and Smart SYN-Cookie Protects Against
TCP ACK Attacks
• Offers Firewall Protection when Deployed in Front of Firewalls
• Protects against SYN and ACK Flood Attacks
13 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Goal: Block as Much SPAM as Possible @ the Network
Minimizes Scope of the Problem by Substantially Reducing SPAM
Makes the Problem Manageable with Reasonable Resources at the
Host Level
• Key Requirements: Dynamic Policy Enforcement
SPAM Lists Could Run into Millions – Scalability is Critical
Lists are Subject to Change – Frequent Download
No Open Windows of Opportunity for Spammers
• Scalability and High Availability of Content Solutions
Host-Based Solutions will Always be Necessary
Targeted Processing Critical to Scale and not go Bankrupt
Intelligent Switching and Load Balancing Brings Sanity
14 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
15 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Network Perimeter as we knew it is Disappearing
Mobility, Convergence, Remote Access, Growing Internal Threats
Need for Security Everywhere in the Network
• Well Established and Agreed Role of Network to Deliver Security
Organizations are Gravitating Towards Network-Based Security
Solutions
Protection for Infrastructure, Services, Critical Resources
• Moving Beyond the Firewall Without Giving Up on Firewalls
Enterprises Endorse the Need for Solutions that Augment Firewalls
Firewall Market is STRONG, but Layer 7 Security is Growing Rapidly
• Emerging Vision/Trend of Network-Wide Security is Catching On
Network Integration is Seen as Inevitable and Required
Solutions that Promote Incremental Steps are Needed
• Growing Attacks and Threats in Content and Service Provider
Infrastructure – These Customers Can’t Rely on Firewalls
16 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Wire Speed LAN Switching Security
-L2/L4 DoS Attack Prevention
Port, CPU, VLAN, & Rogue Protection sFlow based Anomaly IPS Solution
-Zero-Day Solution
-Interface to Network Mgmt. for Remediation
Anomaly Based IPS
- External Collector, Analyzer
- External Closed-Loop Interface
Network Manager
Web & Application Servers sFlow
From Switches
Edge Port Remediation
Web & Application Servers
Internet
Security Traffic Manager
(Perimeter Security)
Secure LAN Switch
(Server Farm Protection)
Security Traffic Manager
(In-Line Inside LAN Protection)
Radius
NAC Server
Secure LAN Switch
(Direct Desktop Protection) sFlow
Network Admission Control
Agents on the Desktops
Security Traffic Mgr. and LAN Switch
-Signature based IPS and More
17
Network Admission Control Agents on the Desktops
Application Security and Protection
-Web and URL Security
-Network-based SPAM, DNS and VoIP Security
December 2004 © 2004 Foundry Networks, Inc.
Perimeter
Traditional Firewall
WA
N
Enterpris e Core
In-Line Security
Switch
•
Most Firewalls DO NOT
Provide Robust and High Performance
DoS
Offer Wire-Speed ACLs
Perform Deep Packet Inspection
Offer High Performance Stateful NAT
Deliver Application Specific Security
Protection
• Some Firewall Vendors Position L7
Intrusion Devices Behind the Firewalls
• Security Switch Fits In Front of Firewalls to
Offload and Augment
Delivers Wire-Speed L2/3 and Multi-
Gigabit L4-7 Security
18 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
Position it as Internal Firewall in the Enterprise Network
Aggregation Layer –
Against Likes of CheckPoint InterSpect
L4-7 Security
Switch
Poor Performance and Steep Price for
Minimal Features, and PC Inside the
Network
Superior Performance, Switch
Architecture, Total Security Features at
Attractive LAN Switch Pricing
SecureIron Traffic Manager Provides High Density Gigabit Aggregation and 10 Gigabit Network Connectivity
19 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Statistical Sampling Delivers
Visibility to All Traffic Flows
Throughout the Network
Layer 2 through 7 visibility and analysis
• Scales with Network Size and
Speeds with no Performance
Impact
Technology must be able to
Scale to GbE and 10 GbE rates
• Embedded implementations available today – Free!
20 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.
• Application Challenges and Solutions
• Server Farm and Application Security
• Layer 4-7 Security Switches
• Q&A
21 Foundry Networks Confidential and Proprietary
December 2004 © 2004 Foundry Networks, Inc.