1 / 234

StoneBeat™ FullCluster 2.0 TRAINING WELCOME! Firstname Lastname Companyname

StoneBeat™ FullCluster 2.0 TRAINING WELCOME! Firstname Lastname Companyname first.lastname@company.name. StoneBeat FullCluster 2.0 Course Structure. Unit 1 - Overview Unit 2 - Planning the Installation Unit 3 - Installing StoneBeat FullCluster

rufus
Télécharger la présentation

StoneBeat™ FullCluster 2.0 TRAINING WELCOME! Firstname Lastname Companyname

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. StoneBeat™FullCluster 2.0 TRAINING WELCOME! Firstname Lastname Companyname first.lastname@company.name

  2. StoneBeat FullCluster 2.0 Course Structure • Unit 1 - Overview • Unit 2 - Planning the Installation • Unit 3 - Installing StoneBeat FullCluster • Unit 3A - Installing StoneBeat FullCluster for FireWall-1 • Unit 3B - Installing StoneBeat FullCluster for Gauntlet • Unit 3C - Installing StoneBeat FullCluster for Raptor • Unit 4 - Configuring StoneBeat FullCluster • Unit 5 - Advanced Configuration • Unit 6 - Customizing the Test Subsystem • Unit 7 - Management

  3. StoneBeat FullCluster 2.0 Engineer Course • DAY 1: • Unit 1 - Overview • Unit 2 - Planning the Installation • Lab: Lab Network Topology • Unit 3 - Installing StoneBeat FullCluster • Unit 4 - Configuring StoneBeat FullCluster • Lab: Installing StoneBeat FullCluster

  4. StoneBeat FullCluster 2.0 Engineer Course • DAY 2: • Lab: Installing StoneBeat FullCluster (continued) • Unit 5 - Advanced Configuration • Lab: filter.conf settings • Lab: Fetching NAT Rules (FireWall-1 course only) • Unit 6 - Customizing Test Subsystem • Lab: Test Subsystem • Unit 7 - Management • Lab: GUI and Command Line Interface

  5. StoneBeat FullCluster 2.0 Engineer Course • DAY 3: • Additional Labs • Lab: Fix the broken FullCluster demo site: Ten problems • Lab: Switch Configuration • Lab: VPN Tunnel • Training Review • Certification Exam

  6. StoneBeat™ FullCluster 2.0 Unit 1 Overview

  7. Unit 1 - Contents • Load Balancing / Cluster • What is StoneBeat FullCluster? • How StoneBeat Technology Addresses Customer Needs • More Considerations • Concepts and Terminology • General Terminology • StoneBeat Specific Terminology • FullCluster Specific Terminology • FullCluster Operating Principles • Dynamic Load Balancing • Graceful Shutdown • Node Failure

  8. External network Primary Secondary Internal network StoneBeat 3.x: Hot Standby • Hot Standby is the most simple and reliable approach to High Availability and should always be deployed as the primary choice unless there are specific reasons why some other approach should be chosen.

  9. StoneBeat 3.x: Hot Standby What customers may say • Only 50% of HW investment is being used • Other gateway “sits there doing nothing” Response • Hot Standby architecture ensures equal throughput • Simple configuration • Enables on-line maintenance • HA is insurance against unexpected • When throughput requirement increases, Hot Standby can be easily upgraded to a FullCluster without changing the network topology

  10. Primary Secondary StoneBeat 3.x: Load Sharing External network Internal network

  11. StoneBeat 3.x: Load Sharing Some facts about Load Sharing • Static process where traffic is shared according to policy-based routing or network topology • Share criteria may be source, destination, direction, but usually it must be one of them, not many of them together • Actual load on gateways is never equal • Requires deep understanding of routing and type and volume of traffic in the network • Load Sharing may require the configuring of external routers

  12. FW FW FW FW Load Balancing / Full Cluster Internet Internal network

  13. Load Balancing / Full Cluster Some Facts about Load Balancing • Dynamic process that enables Firewalls to balance the load so that none of the gateways is overloaded • “Hopping” IP-addresses is NOT dynamic load balancing • Doesn’t require changing network topology or addressing • Combined throughput is the combined throughput of all gateways

  14. What is StoneBeat FullCluster? • First real product that combines Clustered Load Balancing, High Availability and ability for on-line maintenance • Ideal for installations with huge throughput requirement • e-commerce • e-banking • MSP / ISP • Deployment does NOT require configuration changes to the network topology • Easy step up from Hot Standby if that runs out of capacity

  15. FW FW FW FW StoneBeat FullCluster - Up to 16 Nodes Internet Internal network

  16. StoneBeat Management GUI • The StoneBeat FullCluster GUI monitors all product sites

  17. StoneBeat Management GUI • Easy-to-read visual representation

  18. LBfilter LBfilter LBfilter StoneBeat FullCluster Load Balancing Filter • The Load Balancing Filter acts as a filter between the NIC driver and Firewall and allows only a portion of incoming network traffic through to the host. IP Firewall NIC NIC NIC

  19. StoneBeat FullCluster Balancing Algorithm • Traffic packet selection is based on a fast load balance algorithm. • Packet fields... • Source IP • Source Port • Destination IP • Destination Port ...are used as input.

  20. StoneBeat FullCluster Balancing Algorithm • Load balancing function decides which node handles that connection. • Cluster status is part of the load balancing function • When a failover happens, connections that were handled by the dropped device are divided between the remaining devices according to their relative capacities • When new machines are added to the cluster, the algorithm takes care of giving a proper amount of connections to the new machines

  21. Online Standby Standby Standby State Transitions • Standby state enables hot standby configurations • Automatic online transition of the first node • Minimum number of online nodes • A failed test with an offline transition as the action brings the node offline only if there are enough nodes online • A new ‘forceoffline’ action can be used to bring the node offline

  22. Summary: StoneBeat FullCluster • Firewall Load Balancing Cluster with one identity • Unmatched scalability, just add more machines if more throughput is required • Simple configuration, NO master device, NO shared HW • Combined throughput is a sum of each individual gateway • Best protection of hardware investment • Hardware within cluster may be different as long as it runs the same OS. • All current features are preserved • On-line maintenance • Transparent switchover • Configurable test subsystem

  23. Summary: StoneBeat Technology Eliminates outages caused by a hardware component outages caused by software fault unnecessary maintenance breaks • Supports • on-line service and administration • transparent switchover • different platforms and network topologies • Load Balancing • Scales • well to meet higher bandwidth requirements

  24. More Considerations Throughput requirements (one Firewall identity) • Less than 100 Mbit/s • Hot Standby • NT up to 30 Mbit/s • Unix (Solaris/AIX/HP-UX) up to 50 Mbit/s • 50-100 Mbit/s Hot Standby or Cluster depending on other factors • More than 100 Mbit/s • Load Balancing Cluster • Only Ethernet supported • Solaris, Linux and Windows NT environments only

  25. General Terminology !! A good understanding of these few basic terms becomes very important in implementing FullCluster. Additional reading is recommended. Control Protocol IGMP ONIC MAC Address Heartbeat Cluster IP Address CNIC Multicast Address Clustering Protocol Unicast Address

  26. General Terminology • MAC Address • Media Access Control Address • Interface specific address that chooses packets from the network.

  27. External Network Firewall node Firewall node Internal Network General Terminology • Unicast MAC Address • Unique address that identifies one single interface External HUB Firewall node Internal HUB Control HUB

  28. External Network Firewall node Firewall node Internal Network General Terminology • Multicast MAC Address • Identifies a multicast group membership • Can be used by 0 - n interfaces External HUB Firewall node Internal HUB Control HUB

  29. External Network Firewall node Firewall node Internal Network External HUB Firewall node Internal HUB Control HUB General Terminology • Unicast IP Address • Identifies a single networked device (interface) • Corresponding MAC address is always defined via an ARP enquiry dynamically • Your “business-as-usual” IP addresses 192.168.168.10

  30. External Network Firewall node Firewall node Internal Network External HUB Firewall node Internal HUB Control HUB General Terminology • Multicast IP Address • Identifies a set of devices (interfaces) that function as a group • RFC determines range reserved for local use (http://www.iana.org):IP: 239.255.0.0 - 239.255.255.255MAC: 01:00:5E:1F:00:00 - 01:00:5E:1F:FF:FF 239.255.168.10 239.255.168.10 239.255.168.10

  31. External Network Firewall node Firewall node Internal Network External HUB Firewall node Internal HUB Control HUB General Terminology • IGMP (Internet Group Management Protocol) • Enables systems to join or leave a multicast group • Used to inform routers about memberships in multicast groups • Some switches utilize this information to avoid flooding Me too!

  32. General Terminology • Certificate • Unique • CA- Certificate Authority • Grants certificates • PEM - Privacy Enhanced Mail

  33. StoneBeat Specific Terminology • Firewall node • A gateway machine running the Firewall and StoneBeat OR StoneBeat FullCluster Modules. • HA Unit • Pair of Firewall nodes, Hot Standby or Load Sharing • Cluster • Collection of HA Units (term used within the GUI)

  34. StoneBeat Specific Terminology • FullCluster • Collection of Load Balancing nodes having single identity • StoneBeat site • Consists of two or more Firewall nodes that have a single identity. • Group • Concept in the GUI that allows grouping of the above for management and viewing purposes

  35. StoneBeat Specific Terminology In StoneBeat 3.x • software component running on the Firewall that implements the heartbeat protocol, test subsystem and automatic switchover procedure. Coordinates manually activated switchovers. • StoneBeat module In StoneBeat FullCluster • software component running on the Firewall that implements the heartbeat protocol, test subsystem and performs load balancing. Handles control connections with StoneBeat GUI clients.

  36. StoneBeat Specific Terminology • ONIC - Operative Network Interface Card • Interfaces used to handle normal operative traffic. • Connects the Firewalls themselves to internal, external and DMZ networks. • All ONICs are controlled by StoneBeat. • ONICs connected to the same network have exactly the same IP and MAC addresses, allowing site to be viewed as one identity. • CNIC - Control Network Interface Card • Dedicated to communications between Firewalls and the management system. • Not controlled by StoneBeat, they are always up, regardless of the state of the system. • Possible to have several.

  37. StoneBeat Specific Terminology • ID CNIC • CNIC which has the IP address of the Firewall’s hostname. • The IP address of ID CNIC is used by management systems to communicate with the Firewall. • Test Subsystem • Runs on all Firewalls to detect hardware and software failures • Can be used to monitor the operating system, network interfaces and FireWall operation. • Depending on the configuration, the test subsystem will generate alerts or activate the switch over if a test program fails. • Is completely configurable: any shell command can be run as a test.

  38. StoneBeat Specific Terminology • Control Protocol • The management system communicates with each of the Firewalls it manages by using the IP address of the Firewall’s identity CNIC (ID CNIC). • Heartbeat Protocol In StoneBeat 3.x • Connection between StoneBeat modules. Used to pass commands and state information between the Firewalls. The default link is established between ID CNICs. In StoneBeat FullCluster • The heartbeat protocol requires a separate interface and a dedicated LAN to make the connection more secure. The control connections can either utilize this network, or a separate interface can be set up for the control connections.

  39. StoneBeat Specific Terminology • Passphrase • In StoneBeat 3.x, the passphrase forms the shared secret between modules and management • In StoneBeat FullCluster, the passphrase is used to encrypt key and certificate PEM files

  40. FullCluster Specific Terminology • Heartbeat Interface (a.k.a. Protocol Interface) • The StoneBeat FullCluster members communicate with each other through a dedicated heartbeat network using a special clustering protocol. • The Firewall machines use the protocol both to synchronize their views of the state of the cluster and to verify each other’s presence. • Like a human heartbeat, the traffic in the node-to-node network is what keeps StoneBeat FullCluster going. • Clustering Protocol • Used by heartbeat amongst nodes • Ethernet Multicast

  41. FullCluster Operating Principles Important features - Scalable clustering • Firewall machines are joined together to form a unified entity using control and clustering protocols • Clustering protocol allows all nodes to share identical view of state • Information is exchanged on • Which nodes are online • What is the capacity of each online node • How much load each node is handling

  42. FullCluster Operating Principles Important features - Load balancing between the nodes • Load redistributed when nodes come online/go offline • All packets belonging to a single connectionpass through the same node • Load does not oscillate between nodes • Load is redistributed if one of the nodes is overloaded

  43. FullCluster Operating Principles FullCluster in action When a FullCluster node fails • it is switched offline and traffic going through itis moved to other nodes • an error report is generated • administrator intervention is required to get the node back online

  44. The Lack of Synchronization and the consequences • FireWall-1 synchronization enables moving connections from one node to another. Because other applications used with StoneBeat FullCluster don’t have synchronization, other StoneBeat FullCluster products than FullCluster for FireWall-1 • have a different kind of dynamic load balancing • need a graceful shutdown period when a node will be put offline • can’t maintain connections on the failed node if a node fails because of a hardware or a software failure

  45. Dynamic Load Balancing Dynamic load balancing in other products than StoneBeat FullCluster for FireWall-1 does not move established connections from one node to another. Dynamic load balancing affects only new connections. From the end user point of view, dynamic load balancing works the same way in all StoneBeat FullCluster products.

  46. Dynamic Load Balancing inStoneBeat FullCluster for FireWall-1 OVERLOAD

  47. a few seconds pass... Dynamic Load Balancing inother StoneBeat FullCluster products a few seconds pass... OVERLOAD

  48. Graceful Shutdown When shutting down a node, a graceful shutdown period must pass before the node will go offline. During the graceful shutdown period, the node will not get any new connections, but it will handle the connections it had before commanded to go offline. Graceful shutdown enables online maintenance without users noticing any outages on the service.

  49. OFFLINE Online Maintenance inStoneBeat FullCluster for FireWall-1 GO OFFLINE

  50. OFFLINE Online Maintenance inother StoneBeat FullCluster products GO OFFLINE

More Related