Integrating Statefulness

NetScreen, Foundry add reliability intelligence to security appliances, don't compromise performance.

Data networks traditionally have not demanded the same degree of reliability and resiliency as the Public Switched Telephone Network. But as voice communications creep into data architectures, vendors of diverse network components are trying to integrate greater reliability intelligence into their devices.

As each component becomes more feature-rich, however, network performance can be compromised. In e-commerce applications, it is imperative that "statefulness"—the ability of a network to ensure that all requests from a given client are processed through the same server—is not compromised.

The problem of compromised statefulness is being addressed not just by security device makers but also by makers of switches, routers and load balancers. At the same time, security suppliers are trying to bring a higher degree of resiliency and redundancy to their own components.

NetScreen Technologies Inc., of Sunnyvale, Calif., said it is integrating statefulness and voice-grade resiliency into its security appliances. "Were bringing a level of resiliency into the network that typically has been found in the switching and routing environment," said Chris Roeckl, NetScreen director of product marketing and alliances. "Historically, data networks have been treated with a lesser degree of resiliency. In the telco world, it was a given."

The major switch vendors have built in resiliency but have not yet integrated statefulness, according to NetScreen officials. NetScreen is testing its security applications with some major networking equipment vendors, including Cisco Systems Inc., Extreme Networks Inc. and Juniper Networks Inc., as well as with load balancing vendors such as RiverStone Networks Inc. and Foundry Networks Inc.

"All networking devices are trying to address the same issue, which is that applications increasingly require statefulness," said Anshu Agarwal, marketing manager at Foundry, in San Jose, Calif., which builds high-availability traffic management and security Internet switches.

Foundrys Layer 4-7 switches, called ServerIron switches, range from an eight-port stackable model up to a Gigabit Ethernet 56-port chassis model, the largest of which can handle as many as 16 million concurrent client sessions. The latest versions encompass a variety of security features, including symmetric server load balancing, which means two switches actively balance requests for the same virtual IP. Synchronizing data from a session in this way enables stateful failover and doubles traffic throughput. Statefulness is also achieved by cookie switching and IP/virtual IP/port tracking to ensure that end users experiences are consistent.

ServerIron products also feature firewall load balancing, supporting as many as 32 firewalls, with the goal of giving IT managers a way to deliver security policy capabilities without compromising network performance. Other new security features unveiled by Foundry at NetWorld+Interop last week in Atlanta include a way to protect downstream traffic and ensure that only authorized requests reach servers, preventing hackers from overwhelming them by sending continuous requests, as with distributed denial-of-service attacks.