Although firewalls are highly efficient in preventing network intrusion and have become a key factor in submitting Secure Web sites and services, all these security measures are achieved at a high cost. In short, the firewall limits performance and scalability. Because the firewall is an online device that may cause a single fault point, it will reduce the network availability.
Combining the firewall technology with the new Web exchange technology can greatly improve the performance, availability and scalability of the firewall.
The most common firewall is composed of software installed on a server. Two NICs are installed on the server and inserted to the data path. A network adapter is connected to the public end of the network. The public end is usually a router connected to the Internet (the so-called "unclean" end of the firewall ). The other network card is connected to the resources that must be protected (that is, the "clean" side of the firewall ).
The firewall is installed on the data path, which limits the network performance and scalability, because all data flows through the non-clean end and the clean end must flow through the firewall. The firewall uses filtering technology and other policies preset by network administrators to check each packet.
The problem is that the processing structure most suitable for the firewall is not suitable for checking high-volume data packets. It is very difficult to expand the performance of the firewall, because it usually involves high-cost upgrades: use higher-performance configurations and servers with the most powerful processor currently.
The new Web exchange technology is widely regarded as a solution to expand the firewall capacity and improve the overall availability of firewall devices. To achieve load balancing of the firewall, two Web switches are required: one is installed on the cleaning end of the firewall, and the other is installed on the cleaning end. Each Web switch forwards the Entered IP address to the corresponding Web switch at the other end of the firewall. In this way, load balancing is achieved on several firewalls. Therefore, the firewall can run in parallel, the performance of the firewall is extended, and the firewall becomes a single fault point.
Different from traditional packet switches, Web switches have the ability to maintain different TCP sessions for Ethernet and Gigabit Ethernet transmission. Because a firewall is a stateful device, all packets related to session creation flow through the same firewall. The Web switch intelligently maintains the status information of the data streams flowing through the firewall, thus ensuring that all data streams transmitted between specific IP source/destination address pairs flow through the same firewall. In turn, this ensures the session persistence established by the firewall.
The firewall load balancing technology can also be used to reduce the workload of the data flow filtering function required by the firewall, which is the main advantage of implementing the "DMZ" technology. In DMZ, save resources that require public access for Web servers such as the Internet. The Web switch must have a data flow filter function to determine which packets should be transmitted to DMZ and which should pass through the firewall. Removing the filtering function from the firewall greatly improves the firewall performance and speeds up user data flow.
The Web switch is configured to allow or deny access to the DMZ server. In this way, two levels of security are achieved: one level uses the filter configured on the Web switch to restrict access, at the other level, access is restricted through the status check conducted by the firewall.
To ensure the high availability of the firewall, the Web switch continuously sends a force response command (ping) to each port on the corresponding Web switch at the other end of the firewall to monitor the "Health" of the firewall. If the firewall or Web switch port fails, the data flow is allocated to other "healthy" Web switch ports and related firewalls.
Firewall Load Balancing uses the new Web exchange technology to solve many performance and scalability problems caused by the firewall. This technology enables the firewall to run in parallel. Without major upgrades, it greatly improves efficiency, extends performance, and eliminates the possibility that the firewall becomes a single fault point.
- Vswitch configuration in Web browser Mode
- Vswitch WEB Network Management Configuration