 |
|
DAILY NEWS AND INFORMATION
FOR THE GLOBAL GRID COMMUNITY / AUGUST 25, 2003; VOL. 2 NO. 34
|
Systems/Enterprise:
DIVERSE TRAFFIC MEANS NETWORK
GRIDLOCK
In today's diverse networks, load balancers are having to work harder, and
smarter, to handle the wide range of network traffic. It is no longer
acceptable to simply route material to the machine with the most
availability.
Greater intelligence, security, and performance are the three areas that
load-
balance vendors continue to improve. Foundry Networks' new ServerIron switches
have been designed to be the front line of defense in denial-of-service
attacks. The ServerIron device can detect multiple TCP connection requests
coming from the same client and shield the server from ever seeing the
requests. The ServerIron products can protect against attacks that are as fast
as Gigabit Ethernet wire speed.
Load-balancing devices with Layer-7 capabilities also are being used to
improve server scalability and availability when handling applications and
content traffic based on XML.
For example, an XML-aware switch could detect different tags identifying
suppliers and customers and route supplier traffic to an inventory
application, and customer traffic to a trouble-ticket application.
Load balancing multiple ISP links is another important feature added into
the
ServerIron products. Instead of being forced to keep redundant ISP links idle,
enterprises can use all of their ISP links simultaneously. ServerIron can load
balance links based on such metrics as ISP pricing and host response time,
allowing businesses to reduce their overall cost of connectivity.
F5 Networks, another leader in the load-balancing field, is honing its
expertise in Layer-7 application switching. The company is partnering with
ISVs to develop specialized load balancers for proprietary applications.
F5's products go beyond HTTP and URL information to dig deeper into the TCP
payload. NTT DoCoMo, for example, is using F5's Big IP load balancer in its
i-mode service to identify caller IDs and sessions.
With F5's Universal Inspection Engine, customers can flexibly switch,
persist,
and block traffic based on unique variables that the user can set.
F5 also is finding a unique way to deliver its product. It was the first
vendor to announced a blade-server strategy for users that want to save power
consumption, rack space and money, as well as get soup-to-nuts performance for
one application. F5 blades sit in devices supported by Hewlett-Packard, Dell,
IBM and NEC, among others.
Radware, another application-switching vendor, is concentrating its product
development on the security side of load balancing. Radware's feature set can
recognize 1,000 common attacks in real-time.
Radware switches also perform Secure Socket Layer (SSL) acceleration -- a
must-have feature in application switches -- that unencrypts and decrypts SSL
data and routes it without unduly loading down server CPUs. Radware takes SSL
traffic management one step further, however, and cleanses it of any attacks
and untrusted data before re-encrypting the legitimate traffic and sending it
on its way.
The other advantage to Radware's SSL accelerator is that it is a discrete
device; some other vendors put an SSL card inside the load balancer, but a
discrete device offers a higher degree of scalability and better cost control
because there's a limit to the amount of transactions that an application
switch can handle.
Radware also offers a product called Content Inspection Director (CID) that
balances traffic loads among virus-scanning appliances and servers. CID
inspects Layer-7 information and directs possible threats to filtering
devices, such as mail scanners and intrusion-detection servers.
Value Play
The value player in switch load balancing is Coyote Point Systems, whose
goal
is to make a load-balancing device that is very affordable and easy to manage.
Coyote Point's Layer-7 capable switches sell for about $6,000. Similar
devices from other vendors usually offer more state-of-the-art features and
can cost as much as three to four times more.
Coyote Point's Equalizer 7.0 product incorporates SSL hardware
acceleration,
and Coyote Point also touts its ability to handle the proliferation of proxy
farms on the Web. Session persistence capabilities that have the client or
browser maintain a key to the session, in the form of a cookie or information
embedded in a URL, which is fed back into the load balancer to retain session
continuity.
Software Only
For network administrators who do not want to add another device to their
networks, software load balancers fit the bill.
Software solutions, such as Resonate, offer an advantage in that there is
no
need for an external machine. Because Resonate's Central Dispatch product
installs an agent on each machine, the solution can calculate more statistics
-- such as CPU load, open connections, and network latency -- to give a more
accurate picture of a machine's health load.
Hardware devices make the administrator choose between performance and
features. In software solutions, the packet flow goes from the request
scheduler to the machine with the best health load and then directly back to
the client. To do this "triangular data flow" in most load-balancing hardware,
the user has to turn on the "direct path return" feature.
But if the balancer is using advanced features, such as SSL acceleration or
persistence-based rules, some boxes require the direct path return to be
turned off. Additionally, if a hardware load balancer is set to use advanced
features, outbound traffic usually has to flow back out through the hardware
box.
Resonate's Central Dispatch and Global Dispatch products handle most types
of
TCP/IP connections. Software solutions, of course, do not provide any
switching capabilities, and some experts consider them less secure and
reliable than switch solutions.
|