Security-Related Two-Tier Load Balancing

The Challenge

complex campus network with hundreds of terminals, servers farms and several internet uplinks should be monitored before the traffic is provided to several different security solutions.

The challenge was the complex routing because of several uplinks, several internet applications, intranet cloud, VPN connections to other sites and some more. This means the session uses different ways to communicate to the outside world. For instance, the CRM solution was hosted on site but the authentication server was hosted in the cloud. This meant a simple aggregation on port basis was not sufficient to monitor the full session.

The Technical Solution From Cubro

Cubro offered a two-tier load-balancing concept which was based on EXA32100A and EXA48600. In the first stage, Cubro is able to identify the challenges the customers face and can provide the right solution. In this case, the asymmetrical traffic was a major issue, but Cubro solved this problem by developing a learning load balancing mechanism. It was possible to develop this mechanism because the EXA32100 has a high-performance host controller. The units are constantly learning all network relations and based on this information it was possible to solve the asymmetric traffic challenge. Besides this, the advanced network packet broker can remove several MPLS, VLAN, and VXLAN tags to make the traffic readable for the DPI, IDS, Flow monitoring.

In the second stage, we use 16 EXA48600 as output. Each of the 6 EXA32100 units was connected to each EXA48600.

HOLD ON; YOU HAVEN'T ENOUGH PORTS! That is true for some other visibility vendors but not for Cubro because we can use input and output separately. We can feed 16 links / 32 ports to the unit and still have 32 optical outputs to forward the traffic to the second stage.

In order to handle traffic coming from different sources, you need several rules, and Cubro offers up to 4000 rules per unit. In the second stage, the user can do a “simple” layer 4 dual-stack (IPv4 and IPv6) session-aware load balancing.

Session-aware load balancing is useful only if the session stays on the same probe forever. This is possible with Cubro monitoring load balancing application which is a unique feature of Cubroproduct. This works differently than a standard switch load balancing.

A usual hash-based load balancing is designed for live traffic. Therefore, the load balancing cannot assure that every hash has a deterministic port relation. This means the load balancing is session-aware but not necessarily forwarded to the same port. Especially, when a session stops for a while, then it can happen that after restarting the session is on another port. This is not good for monitoring because this means the traffic is on another probe. We at Cubro don’t do that, and our hash has a deterministic port relation!