Call Us:1.800.561.4019
In today's 24x7, "always on" world, the company's data network must be as reliable as possible. Otherwise, revenue reduction and productivity losses are not only possible, but probable. This includes inline security and monitoring tools which can become a single point of failure. Security and monitoring tool survivability is often thought about in terms of fully redundant devices, especially in the case of inline deployments. However, an alternative is to implement an n+1 option for component redundancy. Load balancing provides this cost-effective alternative to full component redundancy.
Load balancing is not a new IT concept. IT engineers have been using static load balancing appliances to set up redundant network paths and survivability for several years. However, what is new is that a network packet broker (NPB) can be used to dynamically perform the load balancing and provide scalable n+1 survivability in a cost-effective manner. Besides increasing survivability, load balancing performed by a dynamic device like an NPB can increase tool utilization. I'll demonstrate the concept in just a minute.The entry of the NPB allows for multiple new inline capabilities within your security architecture including:
By contrast, static load balancers have to be reconfigured every time changes are made. You also lose the dynamic nature of tool fail-over and recovery.
Okay, so let's look at an example. Suppose an enterprise has deployed up to eight IPSs for their redundant high availability solution. Four IPSs were needed to handle the traffic load and four were there for fail-over to create the high availability solution. With a bypass switch and the NPB we have been talking about, these components support heartbeat and fail-over capabilities natively within the devices. When these tools are inserted into your security solution, you can reduce the amount of IPSs that you need, as you no longer need an n+n solution. You can lower the equipment to an n+1 or maybe an n+2 solution (if you want to be really conservative). The NPB can sense the failure of an IPS with the heartbeat signaling and re-route traffic to your spare IPS appliance.
Here is a pictorial of the two options:
In addition, the spare IPS doesn't have to be a spare at all. It can be used in a load sharing situation with the other IPSs during normal operation. This means you now have five fully functioning IPS appliance. Should anyone of them fail, the remaining four will handle the load. Even if a second IPS fails, the remaining load is split across the three remaining appliances. However, during an overload situation, those three devices can drop data until either the load is reduced or a fourth IPS appliance is added back into the equation.
When you look at the economics of this use case, you can actually save money—maybe up to 50%. The cost of the bypass switch and NPB is typically less than one IPS. If you can save the cost of two or three IPSs, then you have the extra cash you need to purchase additional tools (maybe a WAF, a threat analysis tool or some forensic tools). The net result is that you can buy MORE equipment with the SAME monetary investment.
If you want more information on this topic, you can look at the Ixia Solution Brief on load balancing and Definitive Guide to Visibility Use Cases ebook.
Thank you to Keith Bromley of Ixia, a Keysight Business, for the article.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
Comments