«StoneGate Multi-Link™ Ensuring Always-on Connectivity with Significant Savings Contents Executive Summary 3 How Multi-Link Works. 4 Inbound ...»
Ensuring Always-on Connectivity with Significant Savings
Executive Summary 3
How Multi-Link Works. 4
Inbound Traffic 9
VPN Traffic 11
A Proven Technology Driving Customer Successes.. 13..................
| | Whitepaper StoneGate Multi-Link™ 2 of 15 Executive Summary In today’s 24x7x365 world, vir tually every type and size organization depends on always-on network connectivity. Ser vice interruptions can mean lost revenue when an online trading company can’t execute orders, lost clients for a law firm if their attorneys can’t file briefs in time, or even lost lives if critical patient data is not immediately available when needed. According to Infonetics*, organizations are losing as much as 2.2 percent of their annual revenue due to downtime.
Whether communicating with customers, partners or employees, organizations rely on continuous connectivity anytime, anywhere.
Traditionally, connections provided by Internet links have been a single point of failure. In order to eliminate this risk, organizations have resorted to complicated and costly solutions such as redundant systems, separate “failover” or “standby” products, complex protocols like Border Gateway Protocol (BGP), and different connection types like Multi-protocol Label Switching (MPLS) and Frame Relay.
Now there’s a better approach. Stonesoft’s patented StoneGate Multi-Link™ technology built in with its suite of StoneGate Firewall/VPN solutions is ideal for providing organizations with highly available Internet connectivity in a simple, straightforward and cost-effective manner. If one line fails, traffic is automatically switched over to the remaining links. When a complicated solution like BGP or separate Wide Area Network (WAN) load balancer solutions are not required, there is no need for the BGP capable routers or additional layer of load balancing hardware either, which not only mean cost savings but also simplified infrastructure.
Multi-Link technology can integrate with any type of connection to ensure inbound, outbound and VPN traffic is delivered securely through the fastest connections without incident or disruptive downtime. Multi-Link can accommodate Digital Subscriber Lines (DSL), leased lines, cable modems, satellite, and even WAN links such as point-to-point, MPLS, and Frame Relay. As a result, organizations gain the flexibility to deploy any type or number of connections that are best suited for their environment and their budget.
Combined with StoneGate’s active load balancing, and Quality of Service (QoS) capabilities, MultiLink also optimizes networks and supports emerging technologies, such as Voice over IP (VoIP) and video conferencing. As a result, organizations can gain granular control of their networks and ensure the availability of applications that are mission-critical to their operations.
Outbound Traffic A single connection to the Internet is a single point of failure. If the connection becomes unavailable, all outbound traffic is blocked. To prevent this, Stonesoft’s patented Multi-Link technology distributes outbound traffic between multiple network connections. Multi-Link ensures that Internet connectivity remains available even if one or more network connections fail. The StoneGate Firewall/VPN can also load balance outbound traffic between the network connections to use the available Internet connection capacity more efficiently.
Organizations can use Multi-Link on both single and clustered firewalls. The network connections for Multi-Link are represented by netlink elements in the StoneGate Management Center. In most cases, a netlink element is used to represent an Internet Service Provider (ISP) connection.
However, netlinks can also represent a leased line, xDSL or any other type of network connection mediated by the firewall.
| | Whitepaper StoneGate Multi-Link™ 4 of 15 Load Balancing Load balancing can be based on two methods: round trip time and ratio. When the round trip time method is used, netlink performance is measured for each new Transmission Control Protocol (TCP) connection by sending the initial request (SYN) to the destination through all the available netlinks. When the destination host sends the reply (SYN-ACK), the netlink that receives the reply first is used to complete the TCP connection establishment. The firewall cancels the slower connection attempts by sending a TCP Reset (RST) to the destination through the other netlinks.
This way, the fastest route is selected automatically for each connection based on the round trip time measurement. Information about the performance of each netlink is cached, so no new measurement is made if a new connection is opened to the same destination within a short time period.
Figure 1. Selecting the fastest netlink for outbound connections | | Whitepaper StoneGate Multi-Link™ 5 of 15 There are, however, times when a ratio method may be preferred.
For example, if one ISP’s bandwidth far exceeds other connections being used and is supplemented by smaller ISP’s, the smaller ISP may return a faster SYN-ACK. While this may seem like the “fastest” connection, it may not take into account the propor tionate bandwidth available. StoneGate Multi-link can resolve this by using a ratio method. When the ratio method is used, traffic is distributed between all of the available netlinks according to the relative capacity of the links. The bandwidths of the other netlinks are automatically compared to the bandwidth of the netlink with the most bandwidth to produce a ratio for distributing the traffic. When the volume of traffic is low, the ratio of actual traffic distribution is approximate. When the volume of traffic is high, the ratio of traffic handled by each netlink is closer to the ratio calculated from the link capacity.
In the example below, using standard outbound load balancing could result in using the 2 Mpbs link even though the 5 Mpbs may be more efficient. Using ratio-based load balancing allows MultiLink to take the larger link(s) into consideration to allow for a more granular and efficient use of links available.
To test which netlinks are available, the status of the netlinks is monitored by sending Internet Control Message Protocol (ICMP) Echo Requests (ping) through each netlink. If no response is received before the end of the timeout interval defined, the netlink is considered unavailable.
Figure 3. The standby netlink is activated only if all the primary netlinks fail.
As soon as one or more primar y netlinks become active again, the standby netlinks are deactivated.
Previously established connections continue to be handled by the deactivated netlink, but new connections are no longer sent to the standby netlink. Organizations can define multiple active netlinks and multiple standby netlinks.
When load balancing is used with standby netlinks, traffic is only distributed between the netlinks that are currently active. Standby netlinks are not activated to balance the load. Organizations can use expensive traffic-based links as backup links, since in emergency situation even they become cost-effective compared to having to risk attack.
Figure 4. Email traffic can be sent over the high-latency satellite connection while the VoIP traffic is sent over the low-latency links.
Activating Outbound Multi-Link for Selected Traffic Only Multi-Link for outbound connections is implemented with Network Address Translation (NAT) rules in the firewall policy, which makes the configuration very granular. It is not necessary for all traffic to be balanced, but the decision can be made on a rule-by-rule basis using any combination of the match fields in the firewall policy.
When a NAT rule that balances outbound connections matches the traffic, only the traffic that matches the rule is balanced, and according to the settings that have been made for this specific rule only. Obviously, organizations can share the settings in multiple NAT rules, or they can define all the outbound traffic to be balanced same way.
Some protocols cannot use dynamic NAT based on IP/port translation. To achieve high availability and load balancing for connections that use these protocols, organizations can use static NAT as well. When static NAT is used, the size of the source network must be the same as the size of the network used for address translation.
| | Whitepaper StoneGate Multi-Link™ 8 of 15 Inbound Traffic The StoneGate ser ver pool is a built-in load balancer in the firewall that can be used for distributing incoming traffic between a group of servers to balance the load efficiently and to ensure that ser vices remain available even when a server in the pool fails. The server pool has a single external IP address that users (customers, partners and employees) can connect to and StoneGate then uses NAT to distribute the incoming traffic to the different servers.
The ser ver pool itself does not require the use of Multi-Link, but it can be used to improve ser ver pool availability by providing the connection access to the server pool through multiple Internet connections. Organizations can also use Multi-Link with just one server in the server pool to take advantage of dynamic Domain Name System (DNS) updates as explained in Figure 5.
When dynamic DNS updates are used, the firewall automatically updates the DNS entries based on the availability of the netlinks. When a netlink becomes unavailable, the server pool’s IP address for that link is automatically removed from the DNS entry on the external DNS server. When the netlink becomes available, the IP address is again automatically added to the DNS entry.
Figure 5. A customer connects to one of the external IP addresses given by the DNS server.
If that netlink fails, the customer can connects to the next external IP address. Optionally, dynamic DNS can be used to update the DNS entries accordingly.
Using Multi-Link enhances the reliability of the VPN communications by offering any-to-any connectivity with several Internet ser vice provider connections. Multi-Link can balance the VPN traffic between multiple network links and fail over when a link goes down. This reduces the possibility of link congestion or ISP network connectivity breaks and enables always-on connectivity.
Please note that Multi-Link is a StoneGate-specific feature supported only with StoneGate gateways at both ends. If a third par ty gateway allows configuring multiple VPN tunnels between two devices, organizations can still take advantage of StoneGate Multi-Link’s benefits to the extent that the events can be controlled by StoneGate appliances.
In a Multi-Link configuration, the VPN traffic can use one of multiple alternative tunnels to reach the same destination. This ensures that even if one or more tunnels fail, the VPN service continues as long as there is at least one tunnel available.
Figure 6. Multi-Link VPN configurations utilize Internet, MPLS and leased line connections transparently.
Some tunnels can be defined as standby, like the leased line in this example.
It is also possible to define certain traffic to use a certain tunnel (or set of tunnels) by default. For example, VoIP and video conferencing could be defined to use the MPLS connection primarily but the Internet connections would still be used as a backup if the MPLS is down for any reason. Even when the fail over occurs from the MPLS to the Internet links, it is completely transparent to the users as the existing VoIP and video conferencing sessions are maintained.
VPN traffic is balanced between the tunnels based on the link availability checks on each VPN tunnel. If one of the links fails or becomes congested, the VPN traffic is routed through the other tunnels. Standby tunnels are used if all active tunnels become unavailable. Individual tunnels can be also completely disabled so that they are not used for that specific VPN under any conditions.
StoneGate VPN clients, used, for example by remote workers, can also use Multi-Link. If one of the gateways’ links fails, the VPN client connects to the next available netlink.
In today’s “always-on” world, organizations expect their connections to be available 100 percent of the time. With the goal of cost-effective, continuous connectivity in mind, many organizations have found the answer with Stonesoft’s patented Multi-Link technology that is built in to the StoneGate Firewall/VPN solutions. Here are just a few examples of the customer successes using Stonesoft’s Multi-Link technology.
· Wise Business Forms, a leading print manufacturer, implemented StoneGate Firewall/VPN solution with Multi-Link technology to easily integrate disparate office connections and significantly improve network performance and security. The deployment enabled Wise to successfully move from a Multi-Protocol Label Switching (MPLS) connection to a combination of more cost-effective ISP connections. As a result of the superior connectivity, ease of deployment and administration, and security advancements, Wise expects to record a Return on Investment, (ROI) within 16 months of implementing the StoneGate solution.
· When Canadian MedicAler t launched its online portal and electronic Personal Health Record in 2005, the organization required a solution that could ensure constant network access.
The IT staff found that Stonesoft’s Multi-Link technology could support multiple ISP failover connections and ensure fault tolerant inbound and outbound Internet access. Stonesoft not only offered MedicAler t a savings by eliminating the cost and complexities associated with a Border Gateway Protocol (BGP) setup, but it also provided a comprehensive fully integrated security platform to meet their requirements for patient data protection.