Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP and Web Application Acceleration, Availability and Security

Similar presentations


Presentation on theme: "IP and Web Application Acceleration, Availability and Security"— Presentation transcript:

1 IP and Web Application Acceleration, Availability and Security
Foundry Networks ServerIron IP and Web Application Acceleration, Availability and Security Version 1.00 – July 2006 August 2005 | © 2005 Foundry Networks, Inc.

2 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

3 Key Business and Application Trends
Convergence (Triple Play) Mobility On-line Business Web-enabled Enterprise Geographically Distributed Users Ubiquity and Reliance on Web, VoIP and IP Applications are Driving Demand for: Highly Available Secure High Performance Scalable Infrastructure August 2005 | © 2005 Foundry Networks, Inc.

4 User vs. Provider Concerns – Solution Must Address them Both
User Concerns Provider Concerns Service Availability Is Service Available when User Needs 24x7x365 is NOT Unusual Expectation Service Performance Are Downloads Really Fast? Is Response Time Small and Meeting User’s Growing Impatience? Service and Infrastructure Security How to Defeat Attacks against Network, Servers and Applications? Security without Sacrificing End-User Performance Service Scalability How to Grow Service without Going Bust Foundry’s ServerIron Application Acceleration and Delivery is a Solution to Address All these Key Concerns August 2005 | © 2005 Foundry Networks, Inc.

5 Four Key Reasons for Application Networking
Performance Delivery Acceleration with Network Optimization Faster Response Times Better Resource Utilization Security Server Farm Protection for Maximum Uptime Application Level to Protect Sensitive Data Identity Based Access Critical IP Service Infrastructure Availability Maximizing Uptime by Intelligent Traffic and Resource Management Globally Distributed Services and Disaster Recovery Scalability Keep up with Growing Demands of Traffic, Users, Security Threats On-Demand Infrastructure August 2005 | © 2005 Foundry Networks, Inc.

6 Key Market Needs and Trends in Data Center Application Switching and Security
Application Delivery Market and Trends Data Center and Server Consolidation Powerful Servers (4x from 3 Years Ago) Creating Performance Pressures Web Enablement Creating Performance Bottlenecks Explosion of Traffic Rates Web Attacks Growing in Intelligence and Potency Service Downtime and Theft/Hijack of Sensitive Data Exploding use of SSL for Secure Communication and Services Performance Bottlenecks and Certificate Management Complexity Triple-Play Services Proliferating – Voice, Video, Data Bulk Streaming and High Volume VoIP Foundry’s Higher Performance Application Switches Secure and Accelerate Business-Critical IP Services in Global Data Centers August 2005 | © 2005 Foundry Networks, Inc.

7 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

8 Foundry Vision and Leadership
Intelligent Integration of the Network, Server and Applications Lead in Protecting Server Farms and Applications from Major Security and Attack Profiles Scale Application Performance from the Server Farm to the Global Data Center Deliver Hardware Platforms to allow Uptime, Resiliency, and Future Proofing with Investment Protection August 2005 | © 2005 Foundry Networks, Inc.

9 Foundry ServerIron Facts and Business Update
Over 2,000 End User Customers (10,000 Foundry Customers) ~50,000 ServerIron Shipped Worldwide Since 1998 ~2,000 Chassis Shipped in 2005 Alone World’s Largest Customers Use ServerIron Almost Exclusively AOL, DoCoMo, Comcast, BellSouth, Yahoo, Verisign, Orbitz, Wachovia, HP, Deutche Bank, AT&T, Ticket Master, Tyco, Siemens AG, Korea Telecom, British Telecom, US Federal, France Telecom, TIAA-CREF Industry Firsts and Leadership In Major Categories: First Shipping Layer 4-7 Switch (1998) First Modular Layer 2/3 and Layer 4-7 Switch (2000) First Wire-Speed Gigabit DoS Security (2003) First 10 Gigabit Layer 4-7 Switch (2004) First Wire-Speed 10 Gigabit DoS Security (2005) First Compact PC Sized 2U Modular Switch (2005) August 2005 | © 2005 Foundry Networks, Inc.

10 The Two Largest Layer 4-7 Users in the World Use Foundry ServerIron
August 2005 | © 2005 Foundry Networks, Inc.

11 Foundry ServerIron – The Choice of the Most Demanding Customers
August 2005 | © 2005 Foundry Networks, Inc.

12 Foundry ServerIron Application Switches for IP & Web Services
8+ Years of Technology Innovation and Leadership Shipped the World’s First Application Switch Shipped the World’s First 10 Gigabit Application Switch Globally 500,000+ Cumulative Ports Installed Industry’s Most Deployed Application Switch – Dell’Oro 2005 Industry Records in Performance and Security Highest Application Performance Up to 350,000 Layer 4 and 120,000 Layer 7 Connections per Second Scalable to Wire-Speed 10 Gigabit Denial of Service Protection Scalable to 12 Gbps of Application Throughput Wire-Speed Layer 2/3 Switching Throughput Highly Scalable and Comprehensive Product Line For Entry Level, Mid Range and High Performance Needs Industry Leading Price/Performance and Feature Richness August 2005 | © 2005 Foundry Networks, Inc.

13 Proven ServerIron Security Protection without Sacrificing Application Throughput
Only Foundry Delivers Protection with High Performance Performance Doubles with Dual WSM ServerIron is 10G Ready, and Scales to 10G Throughput Throughput Test Used Mixed Size Objects from 43 to 64K Bytes August 2005 | © 2005 Foundry Networks, Inc.

14 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

15 Foundry ServerIron Web Optimization and Application Traffic Management Solution
IP Network Web Browsers Hackers Mobile & Wireless Internet & Intranet Users ServerIron Application Switches BigIron RX-16 Mail Apps ERP Apps WEB Apps Financial Apps Total application switching and traffic management Comprehensive web and non-web application support Integrated SSL acceleration for web traffic Web performance optimization with http offload Robust server farm and application security Highly advanced load balancing and content switching Most advanced high availability with hitless failover Integrated global load balancing for multi-site redundancy and scalability Data center class architecture and modularity for investment protection SSL certificate management and security HTTP compression for bandwidth optimization August 2005 | © 2005 Foundry Networks, Inc.

16 Range of Products for Broad Price, Performance and Port Configurations
ServerIronXL ServerIronGT C Series ServerIronGT E Series ServerIron 350/450/850 Entry-Level – Essential Features and Best Price Expandable, Feature-Rich, “stackable form factor” (With SSL) Mid-Range Performance, Expandable and Feature-Rich (With SSL) High-Performance, Density and Highly Scalable (On-Demand Integrated SSL) New ServerIron Plus GT-C2404F New XL-24 GT-E2404 ServerIron Plus New GT-CGC16 ServerIron Plus XL-16 GT-EGC16 ServerIronGT 10G Slide #9 – Application Switch Portfolio Foundry’s ServerIron family of Layer 4-7 application traffic management and web optimization switches delivers a total solution for application traffic management, server load balancing, content switching, security, SSL acceleration, web compression, and multi-site redundancy using global load balancing. Foundry’s L4-7 technology are the most widely deployed application switching systems in the world and used by some of the most demanding customers in the world. Foundry’s ServerIronGT C-Series is a family of purpose-built high availability modular Layer 4-7 application switches in a stackable PC size form factor, and is designed for the business-critical application and server farm infrastructure of Enterprises and Service Providers. These switches deliver the convenience of a pre-equipped appliance and the form factor traditionally only available on a PC platform, without sacrificing high availability, expandability and performance upgradeability to meet current and future business needs. The ServerIron 350 switches are the highest performance Layer 4-7 switches in the industry in a unique and innovative 2U high modular form, and combine a rich set of application intelligence to deliver maximum availability, security and scalability for mission-critical applications and server farms. New GT-CGx2 GT-C10Gx2P GT-EGx2 New GT-E10Gx2P Integrated SSL Acceleration Module Options Price and Performance August 2005 | © 2005 Foundry Networks, Inc.

17 Comprehensive ServerIron Families and their Applications
ServerIronXL (Stackable Fixed Configuration for Entry Level) Essential Features (SLB and Best Entry Price (<$10K) 10/100 Server Farms with Optional Gigabit Uplinks ServerIronGT C Series (Pre-Equipped 3-Slot Chassis Bundles) Feature Rich, Expandable and Upgradeable in PC Size Ideal for Space Constrained Data Centers ServerIronGT E Series (Pre-Equipped 4-Slot Chassis Bundles) Expansion and Upgrade Capacity of High Entry Price Ideal for Extra Density or Multi-Module SSL Applications ServerIron 350/450/850 PLUS (Create Your Own with Three Chassis) High Performance with Choice of Expansion Capacity ServerIron 350 for Compact Size, ServerIron 450/850 for Higher Scalability Common Management, Service and Line Modules Across All Chassis Systems August 2005 | © 2005 Foundry Networks, Inc.

18 New ServerIron 10 Gigabit Ethernet Switches – Two Form Factors
Two New ServerIronGT 10G Application Switches Industry’s Only Purpose-Built Expandable High-Availability 10G Switches New Ultra High Performance WSM7 Mgmt. Module (4th Gen Application Processor) Hardware-Assisted Security and Application Acceleration Optional On-Demand Expansion with Integrated SSL Acceleration Data Center Class Reliability and Resiliency (Redundant Power, Hot Swap) Double the Performance by Adding Dual Active Management Module Scalable to 350,000 L4 CPS; 10.0 Million SYN/Sec DoS Protection; 120,000 L7 CPS and 12 Gbps Application Throughput Available NOW!! ServerIronGT C 10Gx2 Innovative 2U Modular Design Removable FAN Three Modular Slots ServerIronGT E 10Gx2P Expandable for High Density Front Serviceable Power Four Modular Slots August 2005 | © 2005 Foundry Networks, Inc.

19 Architecture for 10 Gigabit Data Center and Application Delivery
Compact 10G ServerIron (ONE-ARM) IP Network Web Browsers Hackers Mobile & Wireless ServerIronGT C 10G Application Switch (One ARM) BigIron RX-16 Web ERP Internet & Intranet Users SercureIron Traffic Manager Firewall Front End IP Network Web Browsers Hackers Mobile & Wireless Internet & Intranet Users ServerIronGT E 10G Application Switch (In LINE) BigIron RX-16 Web ERP High-Density 10G ServerIron (IN-LINE) SercureIron Traffic Manager Firewall Front End August 2005 | © 2005 Foundry Networks, Inc.

20 ServerIron 350, 450 and 850 PLUS Series Switches – Scalable to 12 Gbps Performance
Industry’s Only Purpose-Built Data Center Class Application Switch New Ultra High Performance WSM7 Management Module Hardware-Assisted Security and Integrated SSL Acceleration Unmatched Scalability and Doubling of Performance with Dual WSM7 L4 350,000 & L7 120,000 DDoS 10M SYN/Sec Application Throughput: 12 Gbps Available NOW!! ServerIron 350-PLUS ServerIron 450-PLUS ServerIron 850-PLUS * 1 cps = 1 Complete HTTP 1.0 Transaction (TCP Setup, 1 GET, 1KB REPLY, TCP Tear Down) August 2005 | © 2005 Foundry Networks, Inc.

21 Unique Features of ServerIron Application Switches
WSM6/WSM7 – ASIC-Based Application Processors Modular Slots for Expansion/Upgrade High Port Density (10/100, GigE & 10 GigE) Integrated SSL Acceleration Dual Management for Double Performance Hot Swappable Modules Redundant and Hot Swappable Power Supplies in the Rear Removable Fan Eight Modular Slots Three Modular Slots 2 RU High Four Modular Slots 12 RU High (112 x 1Gig) 5 RU High Redundant, Hot Swappable, Front Serviceable Power Supplies * DC Power Option Available Unbeatable Choice of Form Factor, Expansion Capacity and Density August 2005 | © 2005 Foundry Networks, Inc.

22 ServerIron Core Hardware Technology Components
Three Chassis Flavors WSM Management Modules WSM7 – 1MP, 3BP (4x Performance) WSM6 – 1MP, 3BP (3x Performance) WSM6-2 – 1MP, 2BP (2x Performance) WSM6-1 – 1MP, 1BP (1x Performance) MP – Management Processor BP – Barrel Processor (Application Flow Processor) 3-Slot Chassis SSL Management and Service Modules WSM6-SSL-1 – 1MP and 1 SSL BP (2x Performance) WSM6-SSL-2 – 1MP and 2 SSL BP (1x Performance) SRVC-SSL6-1 – 1 SSL BP (2x Performance) SRVC-SSL6-2 – 2 SSL BPs (1x Performance) 4-Slot Chassis JetCore Interface Line Modules J-B2Gx, J-B4Gx, J-BxG, J-B16Gx – SFP Gigabit J-B16GC – 16-port 100/1000 Mbps RJ45 Copper B10Gx1, B10Gx2 – XENPAK 10 Gigabit Ethernet J-B48E, J-B2404CF – 10/100 Ethernet and GbE Combo 8-Slot Chassis August 2005 | © 2005 Foundry Networks, Inc.

23 ServerIron Interface Module Options – Choice of Port Speed and Connectivity
J-B2Gx Two-Port Gigabit Mini-GBIC (RJ45 or SFP) J-B4Gx Four-Port Gigabit Mini-GBIC (RJ45 or SFP) J-BxG Eight-Port Gigabit Mini-GBIC (RJ45 or SFP) J-B16Gx Sixteen-Port Gigabit Mini-GBIC (RJ45 or SFP) J-B16GC Sixteen-Port 100/1000 Mbps RJ45 Copper B10Gx1 One-Port 10 Gigabit Ethernet XENPAK* B10Gx2 Two-Port 10 Gigabit Ethernet XENPAK* J-B48E** Forty-Eight Port 10/100 Ethernet RJ45 J-B2404CF** Twenty-Four Port 10/100 Ethernet RJ45 and Four-Port Gigabit Ethernet Fiber & RJ45 Combo * Optics Required ** Double Wide Modules August 2005 | © 2005 Foundry Networks, Inc.

24 ServerIron 350, 450, and 850 Families
350 & 350PLUS WSM6 and WSM7 Management Modules Three and Four Times Performance of GT-C Switches Respectively Dual Management Modules for High Availability and further Doubling of Performance SSL Service Modules for integrated Web Acceleration Customizable Switches with a Choice of Line Modules Create-Your-Own Port Configurations with Following Module Choices 2-, 4-, 8- and 16-port Gigabit mini-GBIC module 16-port 100/1000 Mbps Copper module 48-port 10/100 2-slot wide module 24-port 10/100 and 4-port Gigabit (C & F) 2-slot wide module 1 or 2-port 10 Gigabit Ethernet wide module 450 & 450PLUS 850 & 850PLUS August 2005 | © 2005 Foundry Networks, Inc.

25 ServerIronGT C-Series Application Switches
3-Slot 2U high chassis with WSM6-1 or WSM6-SSL-1 management modules Models with Integrated SSL acceleration and web optimization Optional redundant power supply and field replaceable fan tray 50,000 L4 CPS, 1.2 M SYN/Sec DoS, 1,600 SSL/Sec, 16,000 SSL sessions ServerIronGT C-Series Systems Two gigabit ports and a layer 4-7 mgmt module Sixteen 100/1000 mbps copper ports and a layer 4-7 mgmt module Twenty-four 10/100 ports, four GbE ports, and a layer 4-7 mgmt module SI-GT-CGX2 SI-GT-CGC16 SI-GT-C2404CF ServerIronGT C-Series SSL Systems Sixteen 100/1000 mbps copper ports and a SSL-integrated layer 4-7 mgmt module Twenty-four 10/100 ports, four GbE ports, and a SSL-integrated layer 4-7 mgmt module Two gigabit ports and a SSL-integrated layer 4-7 mgmt module SI-GT-CGX2-SSL SI-GT-C2404CF-SSL SI-GT-CGC16-SSL * Add J-B2Gx, J-B4Gx, J-BxG, J-B16GC, J-B16Gx for Expansion August 2005 | © 2005 Foundry Networks, Inc.

26 ServerIronGT E-series Application Switches
ServerIronGT E-Series Features and Benefits Pre-equipped and fully functional systems – ease of appliance Flexible one-arm, in-line and direct server return designs Expansion slots for redundant mgmt, port density or integrated SSL SI-GT-EGx2 SI-GT-E2404 SI-GT-EGC16 Two gig ports and a layer 4-7 mgmt module Sixteen 100/1000 mbps copper ports and a layer 4-7 mgmt module Twenty four 10/100 ports, four GbE ports and a layer 4-7 mgmt module ServerIronGT E-Series Systems ServerIronGT E-Series PLUS Systems SI-GT-EGx4P SI-GT-E2404P SI-GT-EGC16P Four gig ports and a layer 4-7 mgmt module Sixteen 100/1000 mbps copper ports and a layer 4-7 mgmt module Twenty four 10/100 Ethernet ports, four GbE ports and a layer 4-7 mgmt module August 2005 | © 2005 Foundry Networks, Inc.

27 Key Data Center Class Switch Characteristic Traditional Appliances
ServerIron Series Packs Features Not Available in Traditional Appliances Key Data Center Class Switch Characteristic ServerIron Traditional Appliances Performance Upgradeability - Dual-Active Mgmt. (2x Performance) On-Demand Integrated SSL Port Expandability and High Density Hardware-Assisted ASIC Security Hot Swappable Modules and Power Flexible One-ARM and In-Line Designs Hardware ACLs / sFlow Traffic Visibility Front Serviceable Power Option August 2005 | © 2005 Foundry Networks, Inc.

28 SSL Module Flavors and Benefits
SSL Service Modules – Dedicated SSL Performance/Capacity Co-Exist with WSM6/WSM7 for On-Demand SSL (Two Performance Flavors) SRVC-SSL6-1: 1,600 SSL CPS; 16,000 Concurrent SRVC-SSL6-2: 3,200 SSL CPS; 32,000 Concurrent SSL-Integrated Management Modules Integration of Traffic Mgmt. and SSL into One (Two Performance Flavors) WSM6-SSL-1: 1,600 SSL CPS; 16,000 Concurrent WSM6-SSL-2: 3,200 SSL CPS; 32,000 Concurrent Dual-Active Modules for Doubling SSL Performance August 2005 | © 2005 Foundry Networks, Inc.

29 Highly Flexible and Scalable SSL Integration into ServerIron with New Modules
Broad Choice of SSL Modules Integrated in All Chassis SSL Integrated WSM Management Modules SSL Only Service Modules Co-Deployed with WSM Modules SSL Only Service Modules – Key Benefits Scalable and Dedicated SSL Performance/Capacity for High Demand Apps On-Demand Addition of SSL in Installed Base Investment Protection with Flexible and On-Demand Upgrade No Performance Impact on non-SSL Traffic Performance SSL-Integrated WSM Management Modules – Key Benefits Fully-Integrated Application Switching and SSL Acceleration in one Module Best Overall Price with Entry-Level and Mid-Range Performance Ideal for Small to Medium Sites/Server Farms with Moderate Traffic Growth August 2005 | © 2005 Foundry Networks, Inc.

30 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

31 “Data Center Class” Design
WSM6WSM7 WSM6 WSM7 Expandable to two WSM for 2x Performance 8 Gbps 128/256 Gbps Switch Fabric Non-blocking switch design for scalable and optimal performance 8 Gbps JetCore line modules provide sFlow statistics, wire-speed L2/3 and ACL without CPU intervention JetC JetC JetC JetC Modular design for future growth and technology upgrades Crosspoint switch architecture with dedicated bandwidth per module 128 Gbps / 256 Gbps cross-point fabric provides room for growth Modular, multi-processor application switch engine to provide best-in-class performance Redundant power for high-availability operation August 2005 | © 2005 Foundry Networks, Inc.

32 Line Rate Hardware L2/3 Performance with Layer 4/7 Switching on WSM Modules
JetCore Enables Line Rate Hardware Switching of L2/3 Traffic and WSM6/WSM7 Processing of Only L4/7 Traffic Flows MP BP1 BP3 WSM BP2 Hardware Forwarded Servers MP BP1 BP3 WSM BP2 Hardware Forwarded Clients August 2005 | © 2005 Foundry Networks, Inc.

33 WSM Architecture – Designed for Performance, Security and Growth
Loosely coupled multi-processor design Processing shared across multiple engines (a.k.a., barrels) for scalability Dedicated management processor separates control from application data 8 Gbps Backplane Interface L4 Prog. ASIC L4-7 CPU L4-7 Memory L4 Prog. ASIC L4-7 CPU L4-7 Memory L4 Prog. ASIC L4-7 CPU L4-7 Memory Barrel 1 Barrel 2 Barrel 3 MP Memory MP CPU WSM Module Architecture August 2005 | © 2005 Foundry Networks, Inc.

34 WSM6 Architecture is Identical to WSM4 but with More Performance, Memory and FPGA
SDRAM Memory WSM4 – 256 MB WSM6 – 512 MB Processor WSM4 – 466 MHz WSM6 – 1 GHz August 2005 | © 2005 Foundry Networks, Inc.

35 WSM7 Architecture Same architecture as WSM4 and WSM6, but better performance compared to both and better capacity than WSM4 WSM7 – Virtex II 6000 WSM6 – Virtex II 4000 FPGA WSM6/WSM7 – SMC-3 16 MB Buffer WSM4 – SMC-2 8 MB Buffer Backplane Interface Processor WSM6 – 1 GHz WSM4 – 466 MHz WSM6/WSM7 – Integrated 1MB L2 Cache WSM4 – External 1MB L2 Cache WSM7 – 1.6 GHz August 2005 | © 2005 Foundry Networks, Inc.

36 Application Throughput
ServerIron Performance Matrix Peak Performance Numbers for Each Measure XL WSM6-1 (SI-GT-C and SI-GT-E) WSM6-2 (SI-GT PLUS) WSM6 (SI 350/450/850) WSM7 (SI 350/450/850 PLUS) DoS SYN/Sec N/A 1.2 Million 2.4 Million 3.6 Million 5.0 Million L4 CPS 19,000 50,000 100,000 150,000 170,000 L7 CPS 4,000 15,000 30,000 60,000 Application Throughput 800Mbps 2 Gbps 4 Gbps 6 Gbps Max Session 500,000 5 Million 10 Million 15 Million All Numbers Double with Dual-WSM on all Chassis Platforms All Numbers can Further Double with Active-Active HA Designs August 2005 | © 2005 Foundry Networks, Inc.

37 SSL Integrated Management Modules – WSM6-SSL-X Architecture
Similar Multi-Processor Design as the WSM6/WSM7 Management Module Two Barrel Processors Maximum – Each has Integrated SSL ASICs Each BP Processes All Layer 4-7 and SSL Flows 1BP and 2BP Flavors – WSM6-SSL-1 and WSM6-SSL-2 8 Gbps Backplane Interface L4 Prog. ASIC L4-7 CPU L4-7 Memory SSL Acceleration ASIC L4 Prog. ASIC L4-7 CPU L4-7 Memory SSL Acceleration ASIC Barrel 1 Barrel 2 MP Memory MP CPU WSM6-SSL-X Module Architecture August 2005 | © 2005 Foundry Networks, Inc.

38 SSL Service Modules – SRVC-SSL6-X Architecture
No Management Processor On this Module – Co-Exists with a WSM Module Two Barrel Processors Maximum – Each BP Has Integrated SSL ASICs Each BP Processes SSL Flows Completely – Acceleration, Security and L4-7 1BP and 2BP Flavors – SRVC-SSL6-1 and SRVC-SSL6-2 8 Gbps Backplane Interface L4 Prog. ASIC L4-7 CPU L4-7 Memory SSL Acceleration ASIC L4 Prog. ASIC L4-7 CPU L4-7 Memory SSL Acceleration ASIC Barrel 1 Barrel 2 SRVC-SSL6-X Module Architecture August 2005 | © 2005 Foundry Networks, Inc.

39 WSM, WSM-SSL and SRVC-SSL Module Operation and Packet Flows
Integrated WSM and SSL Management All Flows Processed by Integrated Mgmt. Module(s) SSL Terminated Flows Subject to HW ASIC Acceleration Double Performance with Two Active Modules SSL Service Module with Management WSM for Non-SSL Flows and SSL Service Module for SSL Flows Dedicated Performance and Scalability for Non-SSL and SSL Flows Double Performance with Two Active SSL Service Modules WSM6-SSL-X 8 Gbps 128/256 Gbps Switch Fabric JetCore Line Modules SSL Traffic Non-SSL Traffic WSM6 WSM7 SRVC-SSL6-X 8 Gbps 128/256 Gbps Switch Fabric JetCore Line Modules SSL Traffic Non-SSL Traffic August 2005 | © 2005 Foundry Networks, Inc.

40 SSL Connection Performance and Concurrent Capacity Scalability
WSM6-SSL-1 SRVC-SSL6-1 (1 SSL BP) WSM6-SSL-2 SRVC-SSL6-2 (2 SSL BPs) Dual Active WSM6-SSL-2 OR SRVC-SSL6-2 (4 SSL BPs) New SSL Connections Per Second 1,600 3,200 6,400 SSL Transactions Per Second 5,000 10,000 20,000 Concurrent SSL Connections 16,000 32,000 64,000 SSL Bulk Encryption Throughput 250 Mbps 500 Mbps 1.0 Gbps August 2005 | © 2005 Foundry Networks, Inc.

41 ServerIron Software Architecture and Feature Blocks
Traditional Layer 4-7 Features Advanced L4-7 Features with Full TCP Termination Layer 7 Logic Layer 4 Logic Layer 7 Logic Content Switching, Security, Compression, Proxy and Others Connection Proxy SSL Light Weight TCP Stack Full TCP/IP Stack Virtual Memory Forwarding Layer August 2005 | © 2005 Foundry Networks, Inc.

42 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

43 One Architecture and One TrafficWorks Operating System
ServerIron Delivers Rich Features to Optimize and Secure IP & Web Applications Security Traffic Mgmt. Global LB Multi-Gigabit SYN/ACK Flood Protection Advanced DoS Against 30+ Signatures Granular Application Level Rate Limiting Spam Mitigation Wire-Speed ACLs and HW sFlow Advanced Web Firewall Advanced Load Balancing and Traffic Management Sophisticated Health Monitoring from Layer 2 through 7 (Scripted) Transparent L4 and L7 Traffic Management for Any IP Application Hitless Failover Always Multi-Site Redundancy and Scalability Intelligent Traffic Distribution and Persistence Secure Communication between Sites Traffic Localization with Advanced Proximity Measures One Architecture and One TrafficWorks Operating System New Web Acceleration VoIP / SIP Adv. Layer 2/3 Integrated H/W SSL Acceleration HTTP Connection Multiplexing for Server Optimization Advanced Web Content Management for HTTP, HTTPS, XML, SOAP Clientless HTTP Compression for BW Optimization* Advanced SIP/VoIP Intelligence and Protocol Support SIP Proxy/Registrar Load Balancing and Persistence Security with Protocol Validation, Rate Limiting and Filtering SIP Specific L7 Health Monitoring Full Features Layer 2/3 Switching and Routing Layer 3 Support including OSPF, VRRP, VRRP-E, Policy Based Routing ACLs, 802.1q, 802.1w, Port Trunks, Wire-Speed L2/3 Switching High Performance Stateful IP NAT August 2005 | © 2005 Foundry Networks, Inc.

44 Foundry ServerIron Feature / Solution Evolution
Advanced Application Optimization and Security SPAM Mitigation Integrated SSL Acceleration HW Based DoS/DDoS Protection HTTP Connection Offload High Availability SIP/VoIP Service Delivery Swiss-Army-Knife Traffic Management Integrated Application Firewall ISP Link Load Balancing FIX Application Switching Advanced High Availability Layer 7 Traffic Management for All Applications Advanced GUI-Based Manageability with INM and Web GSLB XML Routing and Web Services Multi-Site Redundancy for Business Continuity Active-Square FWLB SSL Switching FWLB Advanced HTTP Content and Traffic Management Full-Featured DoS/DDoS Security Cache Switching Layer 7 Switching (HTTP) DoS Security Total Content Analysis Integrated HTTP Compression First Switch SLB 1998 1999 2000 2001 2003 2004 2005 2006 August 2005 | © 2005 Foundry Networks, Inc.

45 Foundry’s ServerIron Layer 4-7 Switches Enable Virtual Server Farms
Web Apps s Financial Apps ERP Apps Virtual Application Infrastructure Application Switching Foundry ServerIron Layer 4-7 Switch BigIron RX- 8 Foundry Application Switches Enable: On demand server farm and application scalability High availability applications with failure detection and automatic failover Load balancing for best service response time and application performance Robust server farm and application security from most attacks Server resource conservation by offloading connection management SSL acceleration to optimize secure Web transactions Maximized server utilization and better return on investment (ROI) August 2005 | © 2005 Foundry Networks, Inc.

46 Key ServerIron Server Farm Management Features and Benefits
Virtual Application Infrastructure Web Apps Financial Apps ERP Apps Add a new server to pool Transparently remove server from available pool x Foundry ServerIron Layer 4-7 Switch Health check fails Application Switching Efficient load balancing and high availability with rapid failover Granular server and application health monitoring Highly advanced content switching HTTP, DNS, FIX, Generic TCP and UDP, XML and Others Graceful shutdown and slow start for server management Server connection offload with HTTP connection multiplexing Transparent support for any IP application – TCP, UDP, others Integrated SSL acceleration and Web optimization August 2005 | © 2005 Foundry Networks, Inc.

47 Global Load Balancing – Integrating Intelligence with Standard Protocols to Deliver Multi-Site Redundancy and Scalability High availability and scalability demand multi-site solutions Backup site for redundancy and business continuity Multiple sites for scalability, localization and resource optimization New and emerging threats (including terrorism) forcing enterprises to make multi-site redundancy a requirement Two key approaches to global load balancing (leveraging standards based protocols with complete transparency): DNS-based global load balancing for multi-site applications Leverages DNS to distribute client connections to sites Incorporates site health, load, user proximity and service response time into site selection Routing-based global load balancing for non-DNS applications Uses “intelligent” route health injection to site virtual IP Integrates sophisticated health checks on the server side with routing on the network side Propagates routes via standard protocols (OSPF and BGP) August 2005 | © 2005 Foundry Networks, Inc.

48 DNS Based Global Load Balancing (GSLB) In Action
IP Network Authoritative DNS Servers GSLB Controller VIP VIP VIP-3 Site # Site # Site #3 Service: Web Host: IP List: VIP-1, VIP-2, VIP-3 DNS Query DNS Reply Connect to VIP-2 LDNS #1 Servers 1 4 3 2 5 Client-2 DNS Reply IP List: VIP-3, VIP-2 Connect to VIP-3 LDNS #2 Client-1 DNS Reply IP List: VIP-2, VIP-3 August 2005 | © 2005 Foundry Networks, Inc.

49 ServerIron GSLB Key Features
Distributed health check Site ServerIrons do health checks locally to real servers and report summary to GSLB controller GSLB on WSM BPs Earlier GSLB selection was done on MP, now it is on BPs (more processing power etc) Active bindings metric VIP and VIP port that has more healthy real servers bound to it is preferred over one with lesser active bindings. Weighted IP metric New GSLB metric: Prefer an IP address that has higher weight than another IP address. Weighted Site metric New metric: Prefer a VIP at a Site that has a higher weight than a VIP at a Site with lower weight. GSLB support for private VIPs behind firewalls If Site SI is behind a firewall, this feature allows it to report the public IP address for the VIP GSLB policy per host User can configure a policy per host i.e. one policy for and another for ftp.foo.com User-Configurable geographic prefix User can define a prefix and specify the geographic region for it (N-America, S-America, Asia, etc.) Advanced mechanism for smoothing GSLB RTT measurements Smoothes successive RTT samples effectively even if there are high variances in RTT samples. Ease of Use with “show gslb cache” enhancements Number of new show commands to display entries in the GSLB cache Active RTT gathering for GSLB (Already Support Passive RTT) All site SIs will actively gather RTT for LDNS prefixes GSLB Site Persistence based on Hashing and Sticky State Tables Ensures that clients are sent to the same site for transaction integrity August 2005 | © 2005 Foundry Networks, Inc.

50 Un-trusted Public IP Network
GSLB Protocol Security for Sensitive Applications Foundry GSLB Protocol Used for Site-Controller ServerIron Communication Communication Takes Place over TCP/IP Connections between Foundry Devices Foundry Protocol is Confidential and Proprietary - Built-In Security Added Protocol Security May be a Need for Certain Sensitive Applications Secure GSLB Protocol Authenticates and Encrypts Communication Defeat Man-in-the-Middle Attacks Defeat Replay Attacks Controller and Site Authentication Confidentiality of Information GSLB Controller (Site Selection) A-DNS Server GSLB Controller Modifies DNS Responses to have Best Site’s IP First in the List Information Exchanged using GSLB Protocol Messages Site Health Address List (VIPs) Distributed Server Health End-User Round Trip Time Active Servers at a Site Session and CPU Load GSLB Control Messages Un-trusted Public IP Network Global Server Load Balancing (GSLB for short) is useful when the applications are distributed in various geographic locations for scale and performance. The GSLB controller gathers information about the “best” site (or even the nearest site to given group of clients), and uses this information to direct client requests to the site selected. The load balancer is inserted and integrated within the DNS (Domain Name Service) to implement its GSLB functionality. In the example here, the client requests the IP address of a “service” (WEB maybe) from its local DNS server. The local DNS goes to the authoritative DNS for the information. Load balancer GSLB controller intercepts the A-DNS response, and modifies it to include the VIP of the “best” site load balancer. When the client receives the IP address (VIP) to contact for the “service”, it establishes the connection to the VIP. The site load balancer, distributes client requests among the group of local servers using normal server load balancing. GSLB controller gathers information about sites using GSLB protocol. Real Servers Real Servers Datacenter #1 Datacenter #2 August 2005 | © 2005 Foundry Networks, Inc.

51 VoIP High Availability with ServerIron SIP Load Balancing and Security
Invite SIP Aware Call Switching, Server Load Balancing, Server Persistence, and Security SIP User Agent Clients (UAC) Legend Trying Control 200 OK Data SIP Client A ACK ServerIron SIP Load Balancing Switches SIP Registrar Servers IP Network SIP Proxy Servers Global Server Load Balancing (GSLB for short) is useful when the applications are distributed in various geographic locations for scale and performance. The GSLB controller gathers information about the “best” site (or even the nearest site to given group of clients), and uses this information to direct client requests to the site selected. The load balancer is inserted and integrated within the DNS (Domain Name Service) to implement its GSLB functionality. In the example here, the client requests the IP address of a “service” (WEB maybe) from its local DNS server. The local DNS goes to the authoritative DNS for the information. Load balancer GSLB controller intercepts the A-DNS response, and modifies it to include the VIP of the “best” site load balancer. When the client receives the IP address (VIP) to contact for the “service”, it establishes the connection to the VIP. The site load balancer, distributes client requests among the group of local servers using normal server load balancing. GSLB controller gathers information about sites using GSLB protocol. Invite 200 OK Health Checks – REGISTER/OPTIONS SIP Client B ACK SIP Service Infrastructure ServerIron Load Balances, Persists, Health Checks and Secures Servers ServerIron Currently Supports UDP Based SIP Service (Most Commonly Used) – TCP and “Stateful” UDP in Future August 2005 | © 2005 Foundry Networks, Inc.

52 How Does SIP Work and What can ServerIron Do to Help?
Traditional IP Applications have Clients Accessing Servers for Content – HTTP, , DNS, FTP, RTSP, Etc. IP Communication Service is Client-Client with Server Mediation SIP Infrastructure, Protocol and Servers Consists of Clients (PCs or Phones), and SIP Proxy and Registrar Servers Clients Register their Location and Contact Information with Registrar Clients Request Proxy Servers to Mediate “Calls” Proxy Server Relies on Registrar Database to Find and Contact Clients ServerIron SIP Load Balancing and Application Switching Load Balances REGISTER Messages to Multiple Registrar Servers Sends Periodic REGISTER Health Check Messages to Registrar Servers Load Balances INVITE Messages to Proxy Servers – Persists Messages Belonging to the Same “Call” (Unique Call ID) to Same Server Sends Periodic OPTIONS Health Check Messages to Proxy Servers August 2005 | © 2005 Foundry Networks, Inc.

53 SSL Acceleration and SSL Proxy Features for Secure Web Transactions
Option #1: Inline SSL Termination with SLB, L7 and Security SSL Termination of Encrypted Client Traffic and Clear-Text Traffic to Server Acceleration of SSL Performance and HTTP Connection Offload of Servers Option #2: Inline SSL Proxy (End-to-End) with SLB, L7, and Security SSL Proxy with Encrypted Client Traffic and Re-Encrypted Server Traffic L7 Visibility to SSL Traffic for Security and L7 Processing Offload Number of SSL Connections to Server Option #3: SSL Accelerator Only Appliance Mode ServerIronGT C Series SSL Deployed as a External SSL Accelerator ONLY Greater SSL Performance Scalability and Better Overall High Availability One-Arm to ServerIron 450 Class Product August 2005 | © 2005 Foundry Networks, Inc.

54 How SSL Acceleration Works?
Client Communicates with SSL Accelerator using HTTPS Protocol Accelerator is Transparent to the Clients and they Connect to HTTPS VIP Accelerator Establishes Clear-Text HTTP Connection to the Server Accelerator is Transparent to Server as it Receives HTTP Connections Server-Side HTTP Connection Offload Further Improves Performance Key Benefits: Performance Acceleration and L7 Security, Persistence, Switching, Re-Write, Insert Accelerator Decrypts Client Traffic and Encrypts Server Traffic TCP Connection Setup 1 SSL Handshake 2 Application Request 3 Application Response 4 1 3 4 6 SSL Tear Down 5 Clients TCP Tear Down 6 Servers SSL Accelerator HTTPS (SSL) Connections HTTP (Clear) Connections August 2005 | © 2005 Foundry Networks, Inc.

55 What is End-to-End SSL and What is Its Purpose?
Client Communicates with SSL Accelerator using HTTP Protocol Accelerator is Transparent to the Clients and they Connect to HTTPS VIP Accelerator Terminates SSL Connection, Inspects Traffic in Clear Text, Establishes an SSL HTTPS Connection to the Server Server-Side HTTPS Connection Offload Improves Performance Key Benefits: L7 Security, Persistence, Switching, Re-Write, Insert Accelerator Decrypts Client Traffic, and Inspects and Re-Encrypts Prior to Sending to Server TCP Connection Setup TCP Connection Setup 1 1 SSL Handshake SSL Handshake 2 2 Application Request Application Request 3 3 Application Response Application Response 4 4 SSL Tear Down SSL Tear Down 5 5 TCP Tear Down TCP Tear Down 6 6 SSL Accelerator Servers Clients HTTPS (SSL) Connections HTTPS (SSL) Connections August 2005 | © 2005 Foundry Networks, Inc.

56 How can a ServerIronGT with SSL Be used As a Dedicated SSL Acceleration Device
Client Connects with ServerIron 350/450/850 on SSL VIP and Port ServerIron Re-Directs SSL Traffic to GT-C SSL Used as Accelerator Appliance GT-C SSL Accelerator Terminates SSL and Establishes Clear-Text HTTP Connection No New HW Or SW; As Needs Change, Existing GT-C SSL Can be Re-Deployed as Appliances for Added SSL Scalability Web Servers Port 80 Clients VIP: Port 80 VIP: Port 443 Port 80 ServerIronGT C Series SSL Real Servers for Port 443 Traffic and Clients for Port 80 Traffic August 2005 | © 2005 Foundry Networks, Inc.

57 SYN-GuardTM for High-Performance Server Farm Protection Against DoS Attacks
Good Client Bad Client C2 Host A Complete TCP Connection 1 TCP SYN Foundry ServerIron 4 2 TCP SYN ACK – Special SEQ 3 TCP ACK – Special SEQ Real Servers TCP SYN 1 NO TCP Connection Host B TCP SYN ACK – Special SEQ 2 BAD TCP ACK – Invalid SEQ 3 Protects Servers from Attacks ServerIron Acts as a Connection Proxy and Uses Smart SYN-Cookie to Protects Against TCP ACK Attacks Multi-Gigabit Security Protection at Wire-Speed Rates None of the Partially Setup TCP Connections are Seen by Servers August 2005 | © 2005 Foundry Networks, Inc.

58 Advanced Security Features to Prevent Server and Application Abuse and Attacks
Pro-Active Policies to Thwart Attacks and Prevent Abuse Limits Number of Connections from a Given Host User-Configurable Limits Based on Application Behavior Ensures Hosts Cannot Hog Network and Application Resources Limits Placed based on Source IP or Other Unique Host Identifiers Granular Control of Limits per Source Host or Subnetwork Sufficient Resources Reserved per Client to Allow Valid Client Transactions Limits on Connection Rate (per Defined Interval) Limits on Simultaneous Connections from a Given Host Rate Limiting of BW Used by TCP Connections to Prevent Network Abuse When a Client Exceeds Limits, Further Connections from Same Client are Dropped for a Pre-Configured Duration Limit Connections Allowed per Given Server (Customizable Limits per Server Based on its Resources) Because the load balancers are front ending the server farms and applications, they are the best line of defense against Denial of Service attacks that so many times cripple networks and applications. Load balancers insert themselves in the middle of TCP connection setup, and protect servers/applications from the burden of deflecting invalid connections. Only valid and completed connections are sent to a real server. All other connections are handled by the load balancer and eventually aged out. This security feature not only protects servers and applications, but it also preserves server resources for serving legitimate clients/traffic, which in turn improves application availability and performance. Additional security can be implemented using Access Control Lists and port filtering mechanisms that load balancers often support. August 2005 | © 2005 Foundry Networks, Inc.

59 Proliferation of Web Applications Increasing Vulnerability to Web-Based Exploits
Emerging Threats Target Applications and Data Abusive Use of Web Transactions and Protocols Attacks Designed to Disrupt Service (Downtime) Acquire Sensitive Data Attacks include Database Exploits, Session Hijacks, Illegal Access Deep Understanding of Application Transactions and Web Protocols Required to Secure the Service and Sensitive Data Transparency is Critical to Enhance Security of Existing Web Farms August 2005 | © 2005 Foundry Networks, Inc.

60 ServerIron TrafficWorks OS Security Upgrade – Web Application Firewall
Web Firewall Prevents Service Downtime and Data Theft Fully Inspects Application Messages to Validate Transactions Key ServerIron Web Firewall Features Protect against Buffer Overflow: Ensures Transaction and Data Compliance Cookie Poisoning and Tampering: Authenticates Sessions to Prevent Hijack SQL Injection: Filters DB Commands to Prevent Database Attacks Cross-Site Scripting: Filters Scripts to Prevent User and Site Hijack URL Access and Forceful Browsing: Deny Unauthorized Content Access Hidden Parameters in Forms: Prevents Sensitive Information Leak to User Server Cloaking: Removes Information Identifying Servers and Applications Fully Integrated with TrafficWorks OS to Augment Web Server Farm and Application Security August 2005 | © 2005 Foundry Networks, Inc.

61 Authoritative DNS Servers DNS Service Infrastructure
High Availability DNS with ServerIron – Foundation for All other IP Services Foundry ServerIron Delivers Ultra High Availability and Unlimited Scalability to Cache and Authoritative DNS Service, and is the Primary Choice of Most Service Provider and Enterprise Customers Authoritative DNS Servers ServerIron DNS Server Load Balancing, Automatic Failover, Performance, and Security ServerIron Switches Cache DNS Servers ServerIron Switches Internet Global Server Load Balancing (GSLB for short) is useful when the applications are distributed in various geographic locations for scale and performance. The GSLB controller gathers information about the “best” site (or even the nearest site to given group of clients), and uses this information to direct client requests to the site selected. The load balancer is inserted and integrated within the DNS (Domain Name Service) to implement its GSLB functionality. In the example here, the client requests the IP address of a “service” (WEB maybe) from its local DNS server. The local DNS goes to the authoritative DNS for the information. Load balancer GSLB controller intercepts the A-DNS response, and modifies it to include the VIP of the “best” site load balancer. When the client receives the IP address (VIP) to contact for the “service”, it establishes the connection to the VIP. The site load balancer, distributes client requests among the group of local servers using normal server load balancing. GSLB controller gathers information about sites using GSLB protocol. Provider Network Defeated DNS Attacks DNS Health Checks Broadband Clients DNS Service Infrastructure August 2005 | © 2005 Foundry Networks, Inc.

62 Certified OracleAS 10g Application Support - ServerIron with SSL
clients Certified in Oracle Labs by Oracle HA Group ServerIronGT with Integrated SSL Protocols Tested: HTTP, HTTPS, LDAP, LDAPS Hot Standby HA Whitepaper Co-Authored by Foundry and Oracle Linked Below: Oracle 10g Application Servers Enterprise Network ServerIronGT with SSL Integrated Management Blade Hot-Standby Active SYNC August 2005 | © 2005 Foundry Networks, Inc.

63 Most Advanced High Availability in a Choice of Three Modes
Active-Standby Two ServerIrons deployed in hot standby mode Real-time session synchronization Rapid and stateful failover fully transparent to clients and applications Active-Active – Same Virtual IP Two ServerIrons simultaneously active and load sharing Provide backup redundancy when one device fails Active-Active – Different Virtual IP Two ServerIrons active for two different VIPs and backup for other VIP Benefit of redundancy while maximizing utilization Stateful failover for TCP and UDP Flows Sophisticated algorithms for failover at VIP or device Level Most active links Most healthy servers High availability support on load balancers is critical to provide always-on applications. ServerIron switches support three modes of load balancer high availability. In active-standby mode, one of the switches is standby to take over when the active one fails. Sessions are synchronized between the two switches to transparently failover client connections during failure. Active-Active mode provides load sharing during normal operation, in addition to providing redundancy and stateful failover during failures. Network managers can also deploy two ServerIron switches in active-active mode where each one owns a different VIP (service), and acts simultaneously as a “standby” for the other VIP (service). Failover may not necessarily be a result of load balancer failure. Active load balancer may be selected based on a number of criteria like most active links or real servers. August 2005 | © 2005 Foundry Networks, Inc.

64 Hitless Failover with Session State Synchronization between the HA Pair
As Sessions are Setup through the Active ServerIron Devices, they are Synchronized in Real Time to the Peer High Availability Device for Preservation Upon Active Device Failures Router Optional Dedicated Link for ServerIron Communication ServerIron A ServerIron B L2 Switch L2 Switch Real Servers August 2005 | © 2005 Foundry Networks, Inc.

65 ServerIron Communication
Active-Hot Standby One ServerIron is Active while the other Monitors Health of Active ServerIron Mode is Only Supported when ServerIron Runs Layer 2 TrafficWorks Version Device Level and Port Level Redundancy Routers Availability of upstream router ports takes precedence for failover Active ServerIron Standby ServerIron Dedicated Link for ServerIron Communication L2 Switch Real Servers August 2005 | © 2005 Foundry Networks, Inc.

66 Active-Standby (Symmetric)
Both ServerIron Devices Actively Pass Traffic, but Own Half the VIPs When the Device that Owns VIPs Fails, All VIPs are Owned by Second Device Routers Active ServerIron Primary VIP1 Backup VIP2 Active ServerIron Primary VIP2 Backup VIP1 L2 Switch Optional Dedicated link for ServerIron communication Real Servers August 2005 | © 2005 Foundry Networks, Inc.

67 Active-Active (Sym-Active)
Both ServerIron Devices OWN All VIPs When one Device Fails, the other Device Processes All Traffic Unique Mode of High Availability for Foundry Routers Active ServerIron VIP1 Active ServerIron VIP1 L2 Switch Optional Dedicated Link for ServerIron Communication Real Servers August 2005 | © 2005 Foundry Networks, Inc.

68 ServerIron High Availability for One-ARM and DSR Designs
High Availability Modes Operate Independent of Topology Designs ServerIron Device May Be Deployed as a One ARM to Core Layer 2/3 Switch as Shown Below Active-Hot Standby and Active-Active HA are Supported Router Router Active ServerIron L2 Switches Active or Hot Standby ServerIron Real Servers Optional Dedicated Link for ServerIron Communication August 2005 | © 2005 Foundry Networks, Inc.

69 New Content Switching HTTP Data Analysis and Switching
URL Switching based on prefix, suffix and pattern Eliminates replication of application content on all servers Optimizes resource utilization and maximizes ROI Eases manageability and maintenance of servers and applications HTTP Header Switching Distinguish clients based on headers like browser type, language codes, request type Provide Layer-7 functionality on custom HTTP header fields – Example: Mega Proxies inserting the client IP in HTTP header Support for custom cookies and other header fields – BEA Support XML Switching Expand data analysis beyond headers to application information Optimizing performance and improving security by deep inspection Foundation to an XML application firewall August 2005 | © 2005 Foundry Networks, Inc.

70 Total Content Analysis – Advanced Layer 7 Features for All Protocols
What is Total Content Analysis? Full Layer-7 Features for HTTP and Non-HTTP Traffic Extensive Content Rules for All TCP and UDP Traffic Persistence, Switching, Filtering and Hashing Delayed Binding for Generic TCP Flows Inspect First 8 KB of Application Content Prior to Server Selection UDP Content Rules Processed Packet-By-Packet Why Do I Need It and How Will the Customer Benefit From It? Groundwork for Specialized Features for Non-HTTP Applications FIX, SIP, DNS, Windows Terminal Server, Others Inspection and Filtering at L7 for TCP and UDP Payload Layer-7 Persistence for Applications using Proprietary Protocols is Widely Required and Requested August 2005 | © 2005 Foundry Networks, Inc.

71 Total Content Analysis – Example Layer 7 Applications for Non-HTTP Traffic
DNS Security and Scalability Allow or Disallow Specific DNS Op-Codes Only DNS Security Feature – Example: Comcast Allow or Disallow Specific DNS Query Types Example #1: Block Recursive DNS Queries Example #2: Switch Recursive DNS Queries to a Different Server Allow or Disallow DNS Queries for Specific Domain Names FIX (Financial Information Exchange) Application Support Filter FIX Application Messages Based on Source and Type Persist on FIX Header Field Identifying Sender Organization My Proprietary Application has the 56th Bit Set To Generic Bit, Byte, Number, String, and Text Match on Any Payload Multiple Actions Taken Based on Configured Rules August 2005 | © 2005 Foundry Networks, Inc.

72 Windows Terminal Server (WTS) Load Balancing and Persistence @ L7
Overview of Windows Terminal Servers and Service Lets Users run Windows Applications on Remote Windows Servers Clients Must Maintain Persistence to Servers for Connectivity Session Directory is Central in Re-Directing Clients to Right Servers Load Balancing in a Windows Terminal Server Environment New Client Connections Assigned to Any Server using SLB Metric WTS Uses “Routing Tokens” to Identify “Persistence” and Re-Direct Clients “Routing Token” has the Real Server IP and Port Embedded/Encoded Key Load Balancing Requirements and Foundry Solution Client Connections with “Routing Token” Undergo Persistence Load Balancer Persists Client to Server Identified in Token Foundry ServerIron Switches Intelligently Retrieve, Interpret and Persist WTS “Routing Token” using New TrafficWorks Feature (9.4.0 Release) Format of the “Routing token” (IP and Port # of WTS) msts= CR + LF August 2005 | © 2005 Foundry Networks, Inc.

73 HTTP Server Connection Offload Improving Server Performance and Security by Offloading Connection Mgmt Why Server Connection Offload Servers perform poorly when managing many connections 30 to 40% of server processing used for connection management Servers extremely vulnerable to security threats from DoS attacks What is Server Connection Offload Client connections multiplexed to few server connections Reduces the burden of connection management from the servers Uses HTTP 1.1 persistent and re-usable connections for transactions Benefits of Server Connection Offload Increases capacity by improving utilization of existing resources Optimizes performance and response time of servers and apps. Improves security by shielding servers from clients August 2005 | © 2005 Foundry Networks, Inc.

74 Server Offload and Optimization Solutions
Routine TCP Connection Setup and Tear Down Pool Multiple Client Connections to Few Persistent Server Connections HTTP Switching Based on Application Level Information SSL Processing (Encryption and Decryption) Combined with Server-Side Connection Offload Terminate SSL on the Application Switch (Decrypt) Clear-Text Interfacing to Servers (Significant Performance Gain) Additional Performance Gain by Pooling Multiple HTTPS Terminated Connections over One or Few HTTP Server Side Connections Pooled Persistent Connection Clients Servers HTTPS (SSL) Connections HTTP (Clear) Connections August 2005 | © 2005 Foundry Networks, Inc.

75 Traditional Approaches to Fight Spam
Method 1 - Black/White Lists Advantages: Blocks Mail from Known Spammers Frees up Resources on the Content Filters and Servers Disadvantages Traditional Access Control Platforms do not Scale and Managing Lists not Easy Method 2 - Message Content Checking Advantages: Blocks SPAM with Pre-Configured Keywords Content Filters Supplied by 3rd Party Sources with Little Administration Disadvantages: Spammers are Finding Ways Around Content Filters (disguising) Does Not Scale - Volume of Mail Growing Exponentially Method 3 - Incoming Connection Rate Limiting Advantages: Defends against Hijacked Open Relay Servers, Trojan Mass-Mailing Worms and Spammers Coming from a Specific Source Can Block Legitimate Messages – No Distinction between Good and Bad Users August 2005 | © 2005 Foundry Networks, Inc.

76 ServerIron Policy Based Server Load Balancing for Spam Mitigation
What is Policy Based SLB (PBSLB)? PBSLB Uses a User Configured Policy List Policy List Consists of IP Address (Prefix) and Server Group ID Incoming Client Source IP is Matched to the Policy List Client Request is Directed to Corresponding Server Group Traditional Load Balancing to Real Servers in a Group Key PBSLB Market Requirements for SPAM Mitigation Large Policy Lists Scalable to Millions of IP Prefixes Dynamically Downloadable Policy Lists in Real Time Modifying List with Near Zero Downtime for Policy Enforcement Traditional Server Load Balancing and Security to Scale Backend Mail and Content-Based SPAM Servers Prevent Denial of Service Attacks and Abuse of Server Resources August 2005 | © 2005 Foundry Networks, Inc.

77 Foundry’s Intelligent Network-Based Approach to Defeating Spam
Foundry’s SPAM-DefTM Solution Stops Spam at the Network Offers the Most Scalable “Carrier Class” Solution that Dramatically Reduces Costly Content Filtering of Mail Simultaneously Provides Higher Availability and Efficiency for Mail Applications Defends Mail Server Farms Against Multi-Gigabit Rate Denial of Service (DoS) and other Attacks Essential Components of Foundry’s SPAM-DefTM Solution Policy Enforcement and Spam Filtering in the Network Intelligent Load Balancing, Application Switching and Security Transparent Re-Direction of User Messages to Specialized Resources Example: Grey list users re-directed to content inspection devices August 2005 | © 2005 Foundry Networks, Inc.

78 ServerIron Policy Based Server Load Balancing for SPAM Mitigation
Foundry ServerIron SPAM Mitigation Solution with PBSLB Up to 5 Million IP Prefixes (Billions of Addresses) in a Policy List Dynamic Download of New Lists in Real Time Downloads 5M Entry List in 3 Minutes Sophisticated Algorithms for Efficient Policy Enforcement Integrated Solution with Network Based SPAM Blocking Superior Load Balancing Robust Server Farm and Mail Application Security Is ServerIron PBSLB Enough to Block SPAM? PBSLB Is Sufficient when Using White or Black Lists Complement PBSLB with Content Based SPAM Solutions ServerIron Adds Value by Load Balancing SPAM Servers August 2005 | © 2005 Foundry Networks, Inc.

79 Why Scaleable Always-on Network Visibility?
CIO & Network Operations Team’s Requirements Controls Operator (redundant) Instrumentation (monitoring) Usage Tracking Track & Bill for Usage Ensure Network’s Readiness for New Applications Plan & Grow On-Demand Create Additional Business Better ROI Ease of Management Control Cost of Ownership Enforce Policies Conform with Regulations Maintain Security Protect Information Assets Rapid Diagnosis & Control of Problems Ensure Worker Effectiveness Minimize Downtime CIO Operations Team Requires Scaleable Always-on Visibility August 2005 | © 2005 Foundry Networks, Inc.

80 Collection, Analysis and Archival
Augment ServerIron Layer 4-7 Technology with sFlow (RFC3176) Visibility Statistical Sampling Delivers Visibility to All Traffic Flows Throughout the Network Layer 2 through 7 visibility and analysis Scales with Network Size and Speeds with Zero Performance Impact No other Technology can Scale to GbE and 10 GbE rates Embedded implementations available today – Free! Packet Header Analysis Src/Dst MAC addresses Src/Dst VLAN (802.1q) and 802.1p Src/Dst IPv4 addresses, including TOS/DSCP, TCP, TCP flags, UDP, and ICMP information Src/Dst IPv6 addresses and other information Src/Dst IPX addresses and other information Src/Dst AppleTalk addresses and other information MPLS information Sampling process parameters (rate, pool) Physical input/output ports Src/Dst prefix bits and next hop subnet, Source AS and source peer AS Destination AS path Communities and local preference 802.1X user name or RADIUS/TACACS user ID Interface Statistics (SNMP) The captured packet itself Layer 2-7 Information Sampled Packet sFlow Datagram sFlow Collector Collection, Analysis and Archival August 2005 | © 2005 Foundry Networks, Inc.

81 sFlow Reporting August 2005 | © 2005 Foundry Networks, Inc.

82 IronView Network Manager
ServerIron Manager The ServerIron Manager contains the VIP-Server Manager that allows you to view real server and virtual server port status and their bindings. This manager also allows you to enable or disable a real server, virtual server, real server port or a virtual server port. August 2005 | © 2005 Foundry Networks, Inc.

83 IronView’s VIP-ServerIron Manager
Information for each ServerIron including real servers, virtual servers, real server ports and virtual server ports. Provides the ability to enable or disable a real server, virtual server, real server port or a virtual server port. August 2005 | © 2005 Foundry Networks, Inc.

84 INM GSLB Manager GSLB (Global Server Load Balancing) Manager in INM Full-Feature GSLB Manager to Configure and Monitor GSLB Allows Configuration of GSLB Controller and GSLB Site Devices Management of Many Zones, Domains, Applications and IPs Configuration of GSLB Policies and Host Based Policies CheckFree is a leading online Bill Pay company. They rely on Foundry ServerIron products to support their 400+ million annual transactions. In addition to the load balancing features and functions, they required high availability, easy manageability, and integrated routing support. They found all these and more in Foundry products. The ServerIron switches load balance almost everything and anything in their network including web servers, databases and mainframe systems. They picked Foundry technology and solutions because of the superior performance and reliability. Additionally, they came to love Foundry’s customer support. August 2005 | © 2005 Foundry Networks, Inc.

85 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

86 3Q 2006 ServerIron Release Roadmap –
TrafficWorks Release – FCS Target August 1st, 2006 SYN-Guard TCP Options Support for SSL Modules URL Re-Write for SSL Terminated Traffic LDAPS, POPS, IMPAS Support for SSL (and Others) Deep Packet Inspection and Signature Match Re-Direction Layer 7 Signatures Based Connection Rate Limiting (SSL and Non-SSL) WSM7 Support for SSL Blade Co-Existence Remove 750 Real Server Limit for 10G Module 802.3ad Link Aggregation Dual Mode (Tagged/Untagged) Support on ServerIron SSHv2 Support GSLB MIB Support Auto Download of PBSLB List August 2005 | © 2005 Foundry Networks, Inc.

87 Compress and Web Firewall Release
TrafficWorks Release – FCS Target October 1st, 2006 HTTP Compression (GZIP, Deflate, L7 Filter etc….) Application Firewall – Buffer Overflow, Cloaking, Forceful Browsing, Normalization, Cookie Tampering and Poisoning, SQL Injection, Cross-Site Scripting Certificate Increase to 600 Load Balancing Weight Predictor Metric with SNMP Health FIN Close on Health Check INM GSLB Manager Support HW Based IDS Load Balancing (Lawful Intercept) Does Not Work with any Other ServerIron Feature August 2005 | © 2005 Foundry Networks, Inc.

88 Agenda Layer 4-7 Market Evolution and Trends
Foundry ServerIron Layer 4-7 Position ServerIron Solution Overview Product Architecture and Benefits ServerIron Features and Benefits TrafficWorks Releases and Roadmap Summary August 2005 | © 2005 Foundry Networks, Inc.

89 ServerIron Advantages
Throughput, Port and Session Scalability, and High Availability Beyond Traditional Appliance Capabilities Application Performance & Security Up to 350,000 L4 connections/S Throughput from 4 to 12 Gbps Dos protection up to 10 M SYN/s Data Center Class Reliability Resilient switching & routing foundation Redundant & hot swappable power supplies Redundant management modules Embedded real-time OS (Vs. Open general purpose OS) On-Demand Scalability 10 gigabit support Performance upgradeability Expandable to high density gig Investment Protection! Deployment Flexibility In-line, one-arm & DSR modes Ideal fit in existing & green field network infrastructures Upgradeable & extensible Robust Security Wire-speed ACL & sFlow Embedded real-time OS Secure management access Future Expandability Port module expansion Fiber/copper gigabit media options Management module upgrade Dual mgmt module for performance Ultra High Availability Redundant power supplies & modules Gigabit trunks protect from link failures Rapid session failover Proven in Over 2,000 End User Networks August 2005 | © 2005 Foundry Networks, Inc.

90 Foundry Networks Thank You August 2005 | © 2005 Foundry Networks, Inc.


Download ppt "IP and Web Application Acceleration, Availability and Security"

Similar presentations


Ads by Google