11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.

Slides:



Advertisements
Similar presentations
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Advertisements

Welcome to Middleware Joseph Amrithraj
Scheduling in Web Server Clusters CS 260 LECTURE 3 From: IBM Technical Report.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Firewalls and Intrusion Detection Systems
Module 8: Concepts of a Network Load Balancing Cluster
Content Switch Design Introduce Linux networking source code. IP Masquerade techniques. LVS(Linux Virtual Server). Design of the Content Switch.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of.
Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of a content switch.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Cornell CS502 Web Basics and Protocols CS 502 – Carl Lagoze Acks to McCracken Syracuse Univ.
NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr.
Circuit & Application Level Gateways CS-431 Dick Steflik.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Load Sharing and Balancing - Saravanan Mathialagan Masters in Computer Science Georgia State University.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Process-to-Process Delivery:
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OSI Model Routing Connection-oriented/Connectionless Network Services.
The Transport Layer.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 4 Routing Fundamentals and Subnets/ TCP/IP Transport and Application Layers.
Othman Othman M.M., Koji Okamura Kyushu University 1.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Access Control List (ACL)
Web Cache Redirection using a Layer-4 switch: Architecture, issues, tradeoffs, and trends Shirish Sathaye Vice-President of Engineering.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Othman Othman M.M., Koji Okamura Kyushu University 1.
Module 10: How Middleboxes Impact Performance
Cisco 1 - Networking Basics Perrine. J Page 16/5/2016 Chapter 11 At which layer of the TCP/IP model does Telnet operate? 1.application 2.presentation 3.session.
Integrating and Troubleshooting Citrix Access Gateway.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Java’s networking capabilities are declared by the classes and interfaces of package java.net, through which Java offers stream-based communications that.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
1 © 1999, Cisco Systems, Inc. 1293_07F9_c1 LocalDirector Version3.1.
NAT、DHCP、Firewall、FTP、Proxy
Computer Data Security & Privacy
Process-to-Process Delivery:
POOJA Programmer, CSE Department
دیواره ی آتش.
Firewalls.
Firewalls Chapter 8.
Protocol Application TCP/IP Layer Model
Process-to-Process Delivery: UDP, TCP
Computer Networks Protocols
Presentation transcript:

11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang

11/2/2000Weihong Wang/Content Switch Page 2 What is a Content Switch? A network device which routes the user requests based on their contents and headers to a set of real servers. A Content Switch can route the incoming request based on: - url- address - http meta header- IMAP/POP login - cookie value- UDP/NFS file path,block - ssl session ID- telnet - XML tags- ftp It can be configured as: - firewall. - load balancing device or load distribution device. - fail-over clustering device.

11/2/2000Weihong Wang/Content Switch Page 3 Content Switch Load Balancing Web Server Content Switch is a network component load balancing web server. The performance of a web server farm can be improved by distributing incoming request to a set of web servers. The request distribution can be based on - IP address and port#, Layer4 switching. - Session Layer, Application Layer information, L5,L7 switching.

11/2/2000Weihong Wang/Content Switch Page 4 ArrowPoint Network Services (Support url and cookie-based switching). Who the customer is based on user cookie located within HTTP header.. What information or transaction the customer is requesting.. Where best to service the customers.

11/2/2000Weihong Wang/Content Switch Page 5 Content Switch Architecture From Apostolopoulos2000. Apostolopoulos2000. Port controller matches incoming packets Forward packets to content switch processor or route them directly. Rule matching results download to port controller Content switch processor

11/2/2000Weihong Wang/Content Switch Page 6 Content Switch Operations Content Switching Rule Matching Algorithm Header Content Extraction Packet Classification Content Switch Rules Packet Routing (Load Balancing) CS Rule Editor Incoming Packets Forward Packet To Servers Network Path Info Server Load Status

11/2/2000Weihong Wang/Content Switch Page 7 The Main Tasks of Content Switch Packet Classification. - Rule Configuration. - Rule Matching Process. TCP Traffic Forwarding Method. - NAT, IP/Tunnel, IP/Direct Routing. - Delayed Binding.

11/2/2000Weihong Wang/Content Switch Page 8 Two design approaches of Content Switch Process content switching on application level. For example: Apache, Jserve, Java Servlet. Process content switching on tcp/ip level. Need to modify operating system kernel. For example: using NAT to develop a content switch.

11/2/2000Weihong Wang/Content Switch Page 9 Cisco Content Engine 2.20(CE) Cisco CE supports HTTP and HTTPS proxy server. CE examines web request and makes the action decision such as block,cache, or proxy. The syntax of Rule is: Rule action pattern-type patterns rule no-cache url-regex\. *cgi-bin.* rule block domain \.foo.com bar.com rule no-cache dst-ip The first rule configures that the incoming packets with the url matching the pattern “*cgi-bin” will not be forward to the proxy servers.

11/2/2000Weihong Wang/Content Switch Page 10 Intel Action/Classification Engines(ACEs).ACE classifies incoming packets according to the predefined rule files. ACE then triggers action in the associated action files. ACE use Network Classification Language(NCL) to configure rules. ACE is developed in tcp/ip level. Example of NCL, Rule check_http{tcp&&(tcp.sport==80)}{action_scan()} - check_http is the name of the rule, {tcp&&(tcp.sport==80)} is class matching condition, and {action_scan()} is action function of this condition. - This rule means that incoming request with protocol=tcp and port=80 will go to action “action_scan()”. - NCL is simple for configuration.

11/2/2000Weihong Wang/Content Switch Page 11 More Examples of Content Switch Rules Cisco Network Based Application Recognition Router(config)#class-map match-all http_secure Router(config)#match protocol secure-http Router(config)#class-map match any audio_video Router(config)#match protocol http mime “audio/*” Router(config)#match protocol http mime “video/*” Router(config)#policy-map e-express Router(config-pmap-c)#class http_secure Router(config-pmap-c)#bandwidth 32 Router(config-pmap-c)#class audio_video Router(config-pmap-c)#bandwidth 10 First define classes for secure http request and audio/video request, and then distribute the outbound bandwidth for each class.

11/2/2000Weihong Wang/Content Switch Page 12 More Examples of Content Switch Rules Foundry ServerIron ServerIron(config)#url-map gifPolicy ServerIron(config-url-gifPolicy)#method suffix ServerIron(config-url-gifPolicy)#match “gif”1 ServerIron(config-gifPolicy)#default 2 ServerIron(config-gifPolicy)#exit If the suffix of url in the incoming packets is gif, route to server group 1, else route to server group 2. Intel IX-API SDK Rule check_src {ip.src== } {action_A()} Rule check_http{tcp&&(tcp.sport==80)}{action_scan()} The meaning of rule check_src is: if source ip address is , then execute the action function “action_A()”.

11/2/2000Weihong Wang/Content Switch Page 13 Content Switching Rule Matching Algorithm Brute Forced Sequential Execution – Early rules have higher priority. Easy to solve conflict problem. Ways to speed up the process of rule matching: - Set flags based on the headers and content by-passed rules not related. - Use compiler-optimization techniques to speed up the set of rule.

11/2/2000Weihong Wang/Content Switch Page 14 Content Switch Rule Syntax if (condition) then (action) Examples, If( (iph->saddr== )&&(tcph->dport==80)&&(iph->protocol==TCP)) then route_1(NONSTICKY, req_num, schedule) - ( (iph->== )…) is the combined condition, - route_1() is the action subroutine. It will do: > NONSTICKY means the connection is configured as not sticky connection, > schedule is the schedule algorithm assigned for the connection. > for the nonsticky connection scheduler should reschedule the real server every time when Content Switch gets the http request. > add the new scheduled real serve to the connection list.

11/2/2000Weihong Wang/Content Switch Page 15 Content Switch Rule Syntax If (iph->protocol==UDP) then route_2(NONSTICKY, schedule) - if coming packet is a UDP packet. - route_2() will do: > not sticky connection, every time use the schedule to reschedule the real server.

11/2/2000Weihong Wang/Content Switch Page 16 Content Switch Rule Syntax If (http->cookie==VALUE) then route_3(STICKY, req_num, schedule) - req_num is the number of the http request with in the connection. - route_3 will do; > if (req_num==1), first request, schedule a real server based on the schedule algorithm assigned. > else, not the first request, since it is a sticky connection, the same real server should be kept, do not need to reschedule the new real server and do not need to check to the other field.

11/2/2000Weihong Wang/Content Switch Page 17 Packet Processing in Content Switch Phase 1: Phase 2: Phase 3:

11/2/2000Weihong Wang/Content Switch Page 18 Phase1: Client establishes a TCP connection with Content Switch. Phase2: Content Switch examines the content of the request and choose a real server to establish a TCP connection with the real server. Phase3: - NAT approach. Content Switch forward data in between client and server. - IP Tunnel/IP Direct Routing. Client and server communicate directly without going through Content Switch. Packet Processing in Content Switch

11/2/2000Weihong Wang/Content Switch Page 19 Flow Chart of Content Switch (NAT) packet from client input to ip_input connection established? TCP/SYN? create ACK back msg send back ACK to client masquerade ip addr port,seq. forward ib packet return choose server masq SYN msg forward to server choose server masq UDP packet forward to server deliver to upper layer TCP/data/ack UDP? y n y yy nnn

11/2/2000Weihong Wang/Content Switch Page 20 Flow Chart of Content Switch(NAT) packet from back server Connection established? msaq packet forward it return SYN/ACK? create connection hash table masq ip addr, port,seq. forward saved ip packet forward as normal input to ip_forward