HEPiX Fall 2017 Firewall Load Balancing Solution

Slides:

Advertisements

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Advertisements

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.

Chapter 9: Access Control Lists

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

Implementing Inter-VLAN Routing

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 8: Network Load Balancing (NLB)

Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Network Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

Networking Components

Barracuda Load Balancer Server Availability and Scalability.

1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

Chapter 8: Virtual LAN (VLAN)

NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.

1 Second ATLAS-South Caucasus Software / Computing Workshop & Tutorial October 24, 2012 Georgian Technical University PhD Zaza Tsiramua Head of computer.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.

FireProof. The Challenge Firewall - the challenge Network security devices Critical gateway to your network Constant service The Challenge.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNP 1 v3.0 Module 1 Overview of Scalable Internetworks.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.

ITD + ASA 5585-X Configuration Guide

DYNAMIC LOAD BALANCING ON WEB-SERVER SYSTEMS by Valeria Cardellini Michele Colajanni Philip S. Yu.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

BNL PDN Enhancements. Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

 RIP — A distance vector interior routing protocol  IGRP — The Cisco distance vector interior routing protocol (not used nowadays)  OSPF — A link-state.

Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.

Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.

Cisco Study Guide

CS 3700 Networks and Distributed Systems

أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)

WLCG IPv6 deployment strategy

Wi-Fi Service Enhancement at CERN

(ITI310) SESSIONS 8: Network Load Balancing (NLB)

X-Series Architecture

Virtual Local Area Networks or VLANs

Mouli Vytla Samar Sharma Rajendra Thirumurthi

F5 BIGIP V 9 Training.

PANA Issues and Resolutions

Service Challenge 3 CERN

Planning and Troubleshooting Routing and Switching

Computer Data Security & Privacy

Instructor Materials Chapter 9: NAT for IPv4

Network Load Balancing

VIRTUAL SERVERS Presented By: Ravi Joshi IV Year (IT)

Dumps PDF Vendor: Microsoft Exam Code:

Routing and Switching Essentials v6.0

HEPiX Fall 2017 CERN project Follow-up

Introducing To Networking

Introduction to Networking

Chapter 4: Access Control Lists (ACLs)

Cisco Real Exam Dumps IT-Dumps

CS 31006: Computer Networks – The Routers

* Essential Network Security Book Slides.

Practical IPv6 Filtering

Access Control Lists CCNA 2 v3 – Module 11

CIS 82 Routing Protocols and Concepts Chapter 11 NAT

Instructor Materials Chapter 9: NAT for IPv4

Firewalls Routers, Switches, Hubs VPNs

CS580 Special Project: IOS Firewall Setup using CISCO 1600 router

Attilla de Groot | Sr. Systems Engineer, HCIE #3494 | Cumulus Networks

Chapter 11: Network Address Translation for IPv4

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

HEPiX Fall 2017 Firewall Load Balancing Solution Vincent DUCRET vincent.ducret@cern.ch

Introduction Traffic between the CERN internal networks (LCG/GPN) and the external network (Internet) is filtered by firewalls Current setup has some limitations The Firewall Load-Balancing (FWLB) solution aims to bring scalability to the setup

Current firewall Setup Limitations: Limited capacity Not possible to add a 3rd firewall Each FW is dedicated to a type of traffic Overall traffic is not equally distributed Routing constraints/complexity HTAR traffic (not firewalled) Firewalled traffic

Four different evolution options Build an “intermediate” FW Load Balancer solution Pros: Reuse existing and spare Firewalls No need for switch/router upgrade Allow us to get familiar with FW load-balancing Total cost < 60% of current spare FW Cons: May not match all requirements May only be valid for 2/3 years prior to a global architecture review Full review of the design with specific Load Balancers Pros: “Long term" solution Match all requirements Cons: Unknown technology Price and time (market study and tender required) May need router/switch upgrade Keep current setup and use “bigger” Firewalls Pros: no major change on the design “easy” increase of the overall capacity Cons: Price and time (tender required) No use of our spare Firewall Need router/switch upgrade (Price) Keep a separation by type of traffic (same routing constraints, unfair distribution of the traffic, etc.) Keep current setup but build a cluster of Firewalls Pros: No major change on the design Can use our spare firewall Cons: Need exact same hardware (vendor lock) Capacity increase is not linear (2x 10Gbps  14 Gbps) Keep a separation by type of traffic (same routing constraints, unequal distribution of the traffic, etc.)

Firewall Load Balancing Setup More details about IDS in the presentation given by Adam Krajewski: “Network Automation for Intrusion Detection System” HTAR traffic (not firewalled) Firewalled traffic

Firewall Load Balancing Setup OUTSIDE VRF/VLAN INSIDE VRF/VLAN Physical Setup Each Firewall have a 10Gbps link to each Load Balancer LAG make it a single logical connection Logical Setup Each Load Balancer is divided in two VRFs Full redundancy for single device failure

Firewall Load Balancing Setup Load balanced FW2 Based on two Cisco Nexus 5672UP (each with 32x 10Gbps + 4x 40Gbps) Firewall Load Balancing is done using the ITD feature (Intelligent Traffic Director) = PBR with some automated features Load balanced FW1 Production FW Cisco Nexus 5K for FWLB Router in charge of PBR for HTAR/Firewalled traffic

FW LB setup details Load balancing is based on source IP (relies on PBR) Traffic to/from a single server will always cross the same FW Fully redundant setup If one FW fails, traffic is redirected to the remaining ones (30-60 seconds detection; not transparent for active sessions) If one load balancer fails, all firewalls and routers still have a connection to the second load balancer If one router fails, traffic is rerouted to the other one

Configuration details Manual configuration itd device-group FIREWALLS-IN node ip X.Y.Z.1 weight 12 node ip X.Y.Z.2 weight 4 probe icmp frequency 3 timeout 2 retry-down-count 3 retry-up-count 5 itd ITD-FW-IN device-group FIREWALLS-IN ingress interface Vlan100 failaction node reassign load-balance method src ip buckets 16 no shutdown

Configuration details Auto-generated ACLs ip access-list ITD-FW-IN_itd_bucket_1 10 permit ip 1.1.1.0 255.255.255.15 any ip access-list ITD-FW-IN_itd_bucket_2 10 permit ip 1.1.1.16 255.255.255.15 any (…) ip access-list ITD-FW-IN_itd_bucket_15 10 permit ip 1.1.1.224 255.255.255.15 any ip access-list ITD-FW-IN_itd_bucket_16 10 permit ip 1.1.1.240 255.255.255.15 any

Configuration details Auto-generated PBR rules route-map ITD-FW-IN_itd_pool permit 0 description auto generated route-map for ITD service ITD-FW-IN match ip address ITD-FW-IN_itd_bucket_1 set ip next-hop X.Y.Z.1 route-map ITD-FW-IN_itd_pool permit 1 match ip address ITD-FW-IN_itd_bucket_2 set ip next-hop X.Y.Z.2 (…) route-map ITD-FW-IN_itd_pool permit 15 match ip address ITD-FW-IN_itd_bucket_16

Configuration details Auto-generated PBR rules interface Vlan100 description GAR1 IN 0513-A-FI11 no shutdown mtu 9000 no ip redirects ip address A.B.C.D/X ip policy route-map ITD-FW-IN_itd_pool ITD will adapt the PBR rules in case of FW failure

Configuration details Python scripts to ease operation cli alias name addfw21 source itd-fw.py -fwin X.Y.Z.1 -fwout A.B.C.1 -weight 12 -add cli alias name removefw21 source itd-fw.py -fwin X.Y.Z.1 -fwout A.B.C.1 -rem cli alias name addfw22 source itd-fw.py -fwin X.Y.Z.2 -fwout A.B.C.2 -weight 4 -add cli alias name removefw22 source itd-fw.py -fwin X.Y.Z.2 -fwout A.B.C.2 -rem cli alias name itdreset source itd-clear.py

FWLB setup limitations Current platform supports IPv4 load-balancing only IPv6 traffic is not concerned by this FWLB solution IPv6 flow unchanged (dedicated firewalls, no HTAR) Current platform supports 32x10Gbps ports and 6x 40Gbps Not possible to transparently remove a Firewall (let current sessions “die”) But this is considered sufficient for the next 2/3 years. It lets us get familiar with FW LB solution prior to a global FW design review in the future (new/bigger firewalls, larger LB devices with IPv6 support, etc.)

FW LB PILOT Setup (active since mid-July 2017) Pilot FWLB traffic Wired connection Bldgs.28/31/600 HTAR traffic (not firewalled) Firewalled traffic

FW LB PILOT Setup (active since mid-July 2017) 5000 1600 1st Firewall (newer model) manages ~5000 connections 2nd Firewall (older model) manages ~1600 connections Pilot load balancing configuration is ¾ to 1st FW and ¼ to 2nd FW NOTE: as a comparison, at the same time, production firewalls manage between 350K and 750K connections

Planning overview Summer 2017: Pilot (traffic from IT buildings) Q4-2017: move half of the devices to 2nd network hub Q4-2017/Q1-2018: migrate all GPN/LCG traffic to FWLB solution (several steps) 2018/2019 global review of the firewall setup

Are you doing Firewall Load Balancing? Which solution are you using? How scalable is it? Does it support dual stack IPv4/IPv6? If you don’t know, please forward this presentation (or at least this slide) to your “network” colleagues. They can contact me via vincent.ducret@cern.ch

Any questions?