One day, not long ago, a customer asked if NetScaler could help them with load balancing transparent network security devices such as firewall, NG-Firewall, anti-spam, and IPS (Intrusion Prevention System). They said the performance of the security network devices often can’t be scaled-out and that they want to find a solution to help them to stabilize the performance of those devices seamlessly.

The key reasons for them to have this thought are:

  1. Don’t want to pay two-box cost, but they don’t want one-box performance.
  2. They’re concerned that security checks, like L7 filters, will let down the performance of the security device.
  3. They think using the PBR in the router to dispatch the traffic to those security devices is too complex.
  4. Some security devices are only for one purpose; they don’t want all the traffic go through it.
  5. When the performance of the security device is not enough for the production traffic, they can add a new one seamlessly or bypass some traffic without any impact.
  6. DDoS attack is more and more, the security device need to undertake all the traffic and can’t be a bottleneck.

Below is the simple topology of the transparent firewall deployment.

snip20161027_1

The key challenge in here is to keep the security devices in transparently.

How can we load balance the transparent network devices for which there is no IP address assigned?

Luckily we have “Inter Traffic Domain Entity Bindings” from v11.0 onward that helps us with the following design.

snip20161027_5

For the detail, please refer to CTX218537.

By using this design, we can get below benefit.

  1. Let the network security devices from Active/Standby to Active/Active.
  2. Scale-out the performance of the network security device seamlessly and up to 2047X.
  3. Bypass the traffic to router when all the security devices are down
  4. Bypass specific protocol/IP/Port to router directly without the inspection by the security device to offload the loading of the security device.
  5. By using NetScaler Clustering technology, we can add more NetScaler seamlessly to support up to 5Tbps traffic.

And when integrating with the security features of NetScaler, we also get the following benefits at the same time.

  1. Syn Flood Protection.
  2. DNS DDos Protection.
  3. Client IP filtering with IP Reputation.
  4. Client IP filtering with IP Geolocation.
  5. Client IP filtering with customized entry.

Interested in learning more? Don’t forget there is NITRO API on NS and Responder, Rewrite, HTTP-Callout….which may let you build up a auto-protection system.

citrix-rocks-shirt

Summit banner