Translated version of LinkProof D (raw).

doc

1.1 LinkProof - multi-link load balancing and firewall load balancing 1.1.1 Multi-link solution to achieve the basic principles

Below is a typical application case LinkProof solutions.

Figure multilink network through ISP1 and ISP2 access the Internet. Each ISP has assigned an IP address to the network segment, assuming ISP1 assigned addresses to 100.1.1.0/24, ISP2 assigned addresses to 200.1.1.0/24 (200.1.1.0/24 said network IP here address type 200.1.1.0, subnet mask is 24, ie 255.255.255.0). Similarly, Internet access 100 .1.1.0/24 know through ISP1 through ISP2 access 200.1.1.0/24. Network hosts and servers belong to the private network segment 192.168.1.0/24. LinkProof solution is to switch between the internal router and connect to your ISP, a LinkProof wisdom jumper switches handle all the addresses and Internet links to optimize all by LinkProof wisdom switch to complete. As shown, the switch port binding LinkProof wisdom on 1 IP address 100.1.1.2/24, binding on port 2 IP address 200.1.1.2/24, port binding IP address 192.168.1.2/24 3. Solution implementation follows.

1.1.1.1

Linkproof on outflows (Outbound) process flow

LinkProof concentrated mainly in the following ways to handle outgoing traffic. SmartNAT For smart address management out of traffic, LinkProof using an algorithm called SmartNAT's. When selecting a router to send outgoing traffic (one ISP), LinkProof will select the address of the ISP. In Figure 2, if LinkProof choose ISP1 as a path out of traffic, it will put the internal host address 192.168.1.A/24 translated into 100.1.1.A/24, and as a source address of outgoing packets. Similarly, if LinkPr oof choose ISP2 as a path out of traffic, it will put the internal host address 192.168.1.A/24 translated into 200.1.1.A/24, and as a source address of outgoing packets. Content Routing In order to optimize the flow of the outflow, LinkProof also flow out of the implementation of the proximity operations. If you want to access certain internal host Internet sites, may be effective path through an ISP other than through the ISP's path. Therefore, LinkProof can provide proximity algorithm for traffic flowing to a particular site to choose the best ISP path to ensure the fastest to reach the desired destination content, improve the quality of services. LinkProof consider routing hops, latency and load conditions on the path to each destination proximity operators, select the best out of traffic paths. 1.1.1.2 Linkproof inflow (Inbound) process flow

LinkProof not only need to manage the outflow of traffic, but also must manage access from the Internet, that inflow (InBound) traffic. Assuming Server1 in Figure II is a Web server, Internet host name www.radware.com , address private IP: 192.168.1.100/24. SmartNAT

Smart NAT functionality and integrated DNS proxy on LinkProof combination of being able to complete the load balancing inflow of traffic.

Figure III Shown in Figure 3, the primary DNS server on the two pen NS records point to LinkProof: NS www.Radware.com 100.1.1.2 NS www.Radware.com 200.1.1.2 The correspondence between the URL and set the internal host addresses on LinkProof: www.radware.com 192.168.1.1 00 The settings on the LinkProof static address translation: 192.168.1.100 100.1.1.3 192.168.1.100 200.1.1.3

When Internet users visit www.radware.com is, DNS server responds to the user by the LinkProof to complete the final address resolution. LinkProof depending on the ISP settings to select the appropriate line, if you choose ISP1, will address resolves to 100.1.1.3. Similarly, if you choose ISP2, will address resolves to 200.1.1.3. Thus completing the inflow of traffic load balancing. Process diagram is as follows:

LinkProof SmartNAT Inbound

2-www.site.com ? 1-www.site.com ?
3-Go Ask NS1 or NS2 (LinkProof) ! Authoritative DNS For site.com Users Local 6-www.site.com = 200.1.1.3 External User

4-www.site.com ?your client 5-Tell

IP = 200.1.1.3

DNS Server

Radware LinkProof
Web Server www.site.com 192.168.1.100

LinkProof SmartNATs for www.site.com:

100.1.1.3 for ISP 1 200.1.1.3 for ISP 2

Operation of the user session table For that to flow normally, when the local user initiates a request to access a remote server, LinkProof will create a session record, which records the user through an ISP link (LinkProof called NHR) connect to the Internet server when the server response, LinkProof according to earlier records recording session, after the address is correct conversion response to the user.

For entry to the traffic, the remote user first initiates a connection request, access to the local server, LinkProof how to ensure that traffic into and out of it with a link? To flow with a similar, LinkProof will create a "reverse" recording sessions. Which records the remote user access via the incoming NHR. Session to ensure consistency. The following are the session table entry LinkProof, Dir is the direction of the session, TO and FR (From) the exact opposite, that the direction and into the. Client Addr Dst Addr NHR Addr Src P Dst P AttchTime T Dir 10.198. 16. 93 218.102.180.206 210. 53.207. 37 4442 80 4566013 DN TO 10.193. 49.205 221.205. 1. 24 211.156.187. 1 3426 21 4562192 DN TO 210. 53.201.130 220.170.139.110 210. 53.207. 37 80 1881 4564 984 FR 1.1.2 Radware advantage of multi-link solution of Multilink Radware solutions increase the availability of network link Inte rnet Full path health check

1.1.2.1

LinkProof a major role in a multi-link network is to detect ISP link availability, namely health. And an access link is not only the health of the ISP router by the position decision. Therefore, LinkProof offers a full path health check function can be completed up to 10-hop routing health testing to ensure the entire data link Typically, improve service quality. Recovery and warm-up timer

If the ISP connection status is unstable, it is best not to send any traffic through it, knowing that it is able to maintain stability within a

predetermined time. LinkProof provides fault recovery and warm-up timer, users can customize the timer delay time, thus ensuring the words will be directed

to a stable ISP link. Once the ISP back to normal, LinkProof can gradually increase the traffic sent to the ISP. Redundant configuration

LinkProof redundant configuration using the same mechanism, in the context of the follow-up to LinkProof an example. Since the service reliability is increasingly becoming a major problem on the Internet, so users are increasingly installing Internet traffic such as application switches to the redundant configuration when considering control equipment. In the multi-link network configuration LinkProof can provide redundancy for network and Internet connections, the same, LinkProof function that also includes two LinkProof the parallel installation, one of the spare time. LinKP roof using Radware has been proven redundancy mechanisms, which monitors the status of the device through the network to achieve, so make it right equipment failures and network failures. If the primary network connection LinkProof or one fails, the backup LinkProof can very easily take over the main LinkProof work.

Radware hot standby redundancy using VRRP configuration mode. VRRP way to maintain redundant operation via standard VRRP protocol. When LinkProof starts, will be conducted at the beginning of operation of VRRP make: that VR (Virtual Router) elections. Two LP VRRP multicast packets are sent, notices his VR information. VR LinkProof high priority was elected based equipment, VR low priority LinkProof elected as an alternate device. When the election is completed, the master device at regular intervals to send a VRRP multicast packets, declaring VR information; then the device is in standby Standby state, VR is no longer sending multicast packets, only by receiving VRRP packets to monitor status of the master device, when the network failure or the primary device fails, the standby device can not

receive multicast packets VRRP master device, and lasts many times, the device sends an alternate VR (Virtual Router) corresponding ARP information, and to take over the work of the master device.

Under normal circumstances the two links, either InBound or OutBound traffic Active LinkProof are unique Radware Intelligent address translation (Smart NAT) to achieve load balancing, and can also use Radware unique Proximity algorithm for choosing the most "recent" path. In the case of one of the broken link, LinkProof can also ensure the smooth flow of Inbound and OutBound traffic. Backup LinkProof use VRRP multicast packets to monitor the status Active linkProof, ready to take over all its functions. Start Session Mirror function on the Backup LinkProof, Real-time replication on Active LinkProof connection information, check the connection Active LinkProof when the problem promptly took to ensure that all network connections, and will not cause failure of link load balancing. Start the Active LinkProof port connections bind (Port Grouping), when the network connection failure on Active LinkProof initiative to cut off all connections to ensure that Backup LinkProof when taking over smoothly. Start the Backup LinkProof virtual DNS functionality when Active LinkProof to ensure normal operation in the event of failure of the user's DNS Inbound inquiries.

1.1.2.2

Multilink Radware solutions can improve the performance of the Internet network link

Proximity (Proximity)

Proximity detection method

For incoming traffic, LinkProof using the same flow and outflow nearby judgment mechanism. LinkProof consider delaying hop routing and load conditions, the path to the nearest op initiated for each access point, and select the best traffic flow into the transmission path, the final resolution addresses.

Radware proximity detection method using a proximity detection test, static and dynamic table table parameters configured by the administrator from the nearest constituted of the standard. When WSD-NP or LinkProof provides services to a network, if the network is not in any one table, these devices will weigh to the nearest of the network. Proximity table records all network are used in the form of a Class C network. When measuring, Radware proximity detection tempted to start the process, it will send several packets (up to four) to the target network, and then learn a few hops and delay the case by the results of proximity detection tempted. In order to achieve the most accurate measurement results, proximity detection including IP, TCP and application layer temptations (such as TCP and ICMP echo test to confirm the request to test). Reply to no more than two cases, the error message first, the response ICMP echo (PING) requests, and second, as a response from the remote network to other proximity detection exploratory data packets generated. Once the device know the number of hops between it and the delay in the case of a network with the client network, it will be the best three records to the dynamic content delivery path table. These data are defined by the administrator in the storage time in the dynamic table. After mastered the nearest information, Radware devices can be reset based on the information known to the client from the network side. In this way,

administrators can use the delay problem lightest path with the least number of segments trunk to deliver content to end users. Administrators can even set a static proximity to reset the configuration to the decision table. Radware devices in a dynamic table checking customers will first check the static table before the end of the class C network. In this manner, Radware some client device may automatically reset to the optimum path to the configuration, also the second and third best path can be defined in the static table.
Optimize proximity detection method

Radware offers the use of a variety of parameters, you can easily customize the proximity detection method based on the unique needs of each environment. This self-definition includes a variety of operations, such as increasing proximity to the dynamic allocation of memory tables, change the dynamic of the table nearest the content validity, providing DNS name for Radware proximity devices and use only static tables and other nearby properties. Adjust the dynamic memory allocation table timeout and other parameters can be adjusted network frequency proximity detection. By adjusting and consider the unique needs of each environment, you can seek the appropriate balance between the detection of the frequency and timeliness of data. This can be very important in some environments because Radware network proximity probing process utilizes the ICMP echo request (as one detection method), and the client will rarely notice the nearest check. In order to minimize any client-side problem is one way to provide such "proximitydevice.company.com" as Radware devices, "quality-of-servicedevice. Company.com" or "network-proximity-measuring-device.company. com "and other DNS name. Once the client detects a proximity detection package, they can be a reverse DNS lookup to understand the intention and source probe packets. In addition,

customers can also provide an simple letter to explain the purpose of these probe packets. Appendix A shows a sample. If you can effectively use the static nearest table, known network of clients will be able to be reset directly to the appropriate resources, while minimizing the number of network proximity probe packets. With static table, based on a variety of conditions can be reset to the client, such as IANA (Internet designated Numbers Authority) assigned IP address. For global distribution site, which may be a solution, because the IP address assigned by the three main agencies responsible, each jurisdiction has its own institutions. For more information on IP addresses and zoning related organizations, please visit "Internet Protocol Address Space" (Internet Protocol address space) table, the corresponding site at: http://www.iana.org/assignments/ipv4-address-space You can also use the known range of the client configure a static address table, and set three best content access routes. This method is extremely suitable for large Extranet and Intranet. To adjust Radware proximity detection method, the process is fairly simple, but for different environments have different requirements. Radware's project team has a wealth of Internet, Intranet and Extranet environment experience to help customers achieve the desired results, so as to ensure the most optimal path through the transmission of content, and compliance with the technical and business objectives. Sometimes, IDS (intrusion detection system) may be near the packet checking device IDS mistaken attack after the data packet. To minimize these false positives, LinkProof and Web Server Director allows users to configure each were examined to determine proximity for inbound, outbound, proximity, or both for both, or neither.

Proximity detection diagram:

Proximity
60 ms 120 ms
www.site.com? LinkProof

Local network

www.site.com

Proximity for www.site.com

30 ms
First Path = ISP 3 Second Path = ISP 2

Flow ThirdPacket Path = ISP 1

In many cases, the user needs to be assigned to the appropriate flow specific ISP link, and load balancing of the links. For example: the company wants to VPN traffic through a specific link, because they do not want to reconfigure the firewall policy to allow the new ISP address through it; administrators prefer to mail traffic assigned to a few ISP link to the Internet. Traffic grouping makes LinkProof according to different types of traffic and choose a different link. Network administrators can destination address, source address and application type definitions traffic group. This makes the flow distribution more flexible and convenient.

The following diagram is a schematic flow according to the application packet.

Grouping Application
Router 1 Web
Local Network

CRM Router 2 and 3

When a user accesses a Web application, go through Router1 ISP1 link. When a user accesses a CRM application, LP will turn ISP2 user requests and ISP3, load balancing among them.

1.1.2.3

Multilink Radware solutions can improve the ability to resist attack

Radware Linkproof after loading the SYNAPP II / III, the defense can effectively resist hacking and DDOS attacks. Application security module to protect web servers from Over 1400 attack attack signal. This module is designed so that it can be used as Another variety of resources to the front line of defense Radware device management,

these resources including servers, firewalls, cache servers or routers. This module is based on the use of network information and application information. By terminating suspicious sessions tracked in real time to detect and prevent attacks. Do not require the use of any software agents on managed devices.

Based on IP address, application type and content of the data packet

filtering

Advanced filtering features such as content filtering, URL blocking, URL

filtering

You can have a dedicated server IP address and port applications that do not

recognize, and therefore able to guarantee their safety.

For each server and application connection limit can be defined to ensure

that the number of sessions click on the server does not exceed its capacity.

Listed below are the known safety hazards can be prevented:

Based on Web denial of service (DOS) attacks Distributed Denial of Service (DDOS) attacks Based on Web-based buffer overflow General web environment vulnerability Use the default error configuration and installation issues to attack Network traffic probe Uncommitted network traffic Backdoor attack

1.1.3

Firewall load balancing

Linkproof completion Internet link load balancing, while if the safety and Radware Application Switch FireProof combined, can simultaneously load balancing firewall. Figure 5 below,

LinkProof+FireProof

FireProof

LinkProof

LinkProof completed two ISP link load balancing, and FireProof completed for outgoing traffic load balancing firewall. Combining the two devices, you can guarantee to maintain a dialogue to achieve load balancing real Internet access and firewall.

1.1.4

LinkProof product hardware specifications

For different types of users, LinkProof provide different hardware platforms. See the following table: LinkProof AS III LinkProof AS II LinkProof AS I LinkProof Branch

CPU Network Processor Memory Port

Motorola PC 7410 Have

Power Motorola PC 7410 No

Power Motorola PC 750 No

Power No

128M, expandable to 512M 1 10GE + 7 GE + 16FE

44Gbps

128M, expandable to 512M 7 GE (GBIC) Or 5 GE (GBIC) + 16FE

19.2Gbps

64M, expandable to 128M 8FE 2GE + 8FE or 8FE

9.6Gbps

Backplane rate Physical Dimensions

High 43.6mm, Width 432mm, Length 472.6mm, Weight: 7kg, Standard 19 EIA rack or placed separately

High 43.6mm, Width 430mm, Length 465mm, Weight: 4.1 kg, Standard 19 EIA rack or placed separately Automatically adjust the voltage 100250V, 50-60Hz Temperature 0-40 degrees Celsius, humidity 5% to 95% (noncondensing)
10

High 44mm, Width 432mm, Length 475mm, Weight: 3.5 kg, Standard 19 EIA rack or placed separately Automatically adjust the voltage 100250V, 50-60Hz Temperature 0-40 degrees Celsius, humidity 5% to 95% (noncondensing)
10

High 43.8mm, Width 240mm, Length 170mm, Weight: 0.5 kg, Individually placed

Power supply

Automatically adjust the voltage 100250V, 50-60Hz Operating Temperature 0-40 Environment degrees Celsius, humidity 5% to 95% (noncondensing)
Supported NHR number (ISP) Bandwidth limitations Device Management 10

Automatically adjust the voltage 100250V, 50-60Hz Temperature 0-40 degrees Celsius, humidity 5% to 95% (noncondensing)
10

3G Enhanced CLI management Configware Insite Telnet SSH Based on Web

1G With

200M With

5 M , 50M With

 Bandwidth Management Application Security

Management Based Safety Web Management Complete SynApps Bandwidth Management Can be upgraded to full pay SynApps Security Management Module Complete SynApps Bandwidth Management Can be upgraded to full pay SynApps Security Management Module Limited Support Limited

Complete SynApps Bandwidth Management Can be upgraded to full pay SynApps Security Management Module

Ads not by this site Ads not by this site