Barracuda Load Balancer ADC BT 240 Market Overview Market Requirements Horizontally scale application server Extend life of existing application farm Protect against application layer attacks Need to rapidly deploy application Introducing the Barracuda Load Balancer ADC Acceleration Availability Security Control Features and Benefits Availability Features Load Balancing Health Check Persistency Scheduling GSLB Load Balancing Common Applications Deployed Internet sites / Intranet Sites Hosted applications Other IP services Real Server Monitoring Server Monitoring Last Resort Server Application Layer Health Check 9 Load Balancing Algorithms How traffic is divided among servers Default Scheduling Policy Adaptive Schedule Methods Default Scheduling Policies Round Robin / Weighted Round Robin Least Requests 100 80 Adaptive Scheduling Policy Automatically assigns weights based on CPU being utilized on the server Terminal Session Global Server Load Balancing (GSLB) Direct traffic to multiple data centers using DNS resolution User can be directed to a data center site based on Health Checks between two sites Redundant GSLBs possible Persistency What is Persistency ? Different methods of doing Persistency GLBS and DNS Application Control Content Rules / L7 Routing Instant SSL Web Translation Content Based Rules Layer 7 Rules to route traffic to different server based on headers Dynamic pages bn.com/php/* Examples Graphics bn.com/images/* Documents • • • bn.com/docs/* Send application traffic to database servers Send requests for images to another server Send requests for documents to another server Content Rewrite Instant SSL Web Translation Application Acceleration Caching Compression SSL Offloading HTTP Caching and Compression Caching Compression SSL Encryption and Decryption HTTP SSL SSL HTTP Network Security Network Security Capabilities Layer 4 Firewall Configure layer 4 ACL’s based on IP, Ports and Protocols. Network Address Translation Ability to configure a Source NAT rule for the backend servers to communicate outbound. VLAN Supports 802.1Q Vlan port trunking Routes Configure static routes on the box Geo Location Based ACL’s Allow requests only from certain Geographic location Block requests based on a Geographic location Link Bonding Link Bonding : Ability to bond multiple links Round Robin Active- Backup Dynamic Link Aggregation Application Security Layer 7 Web Application Firewall Inbound inspection (protect against layer 7 attacks) Outbound inspection (protect against data theft) Inspect Application Layer Data Deep Packet Inspection Data Theft Protection IP Address User TCP port Traditional Firewalls focus here Denial of service (DoS) Distributed DoS SYN flood Ping of death TCP session hijacking Packet fragmentation HTTP header Cookie URL Form data Web Application Firewalls start here SQL injection AV Protection Cross site scripting Data Theft Protection Buffer overflow Credit Cards, SSN, Web worms Sensitive Information Cookie Poisoning Session Hijacking Forceful browsing Parameter tampering Web Apps OWASP Top 10 Attacks Protection Against OWASP Top 10 Attacks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Distributed Denial Of Service Attacks Bandwidth Based DDOS Geo-IP based protection Resource based DDOS Slow Loris and Pyloris A low bandwidth attack tool that focuses the attack on resource than bandwidth Plug & Play Deployment & Management Level of Customization High Custom & Positive Security Medium Template-Based Security Low Default Security Manageability High Availability Active-Passive Pair Manual or automatic failback Online Demonstrations Demo site http://demo.barracuda.com Open to the public Vital Demonstration Pages Availability Status Services Server Health Security Network Security Network Firewall NAT’s Acceleration Caching and Compression GSLB Control Content Based Routing Web Address Translation Application Security Security Policy Advance security Internal patterns Sizing and Product Selection Model Comparison By Capacity Model 240 340 440 640 840 2 x 10/100 2 x Gb 2x Gb 8x Gb 2x 10 Gb Cu Max. Throughput (Mbps) 95 950 950 5 Gbps 10 Gbps Real Server Support 10 35 50 250 ? - 150 200 15000 ? Ethernet SSL Offloading/ Acceleration (TPS) 8x 1 Gb Cu 2x 10Gb Cu 2x10 Gb SFP Optional Networking Modules Available on 640 and 840 Virtual Appliances Available Feature Differences All Models Layer 4 Load Balancing Barracuda Load Balancer ADC 340 and higher High Availability VLAN Layer 7 Load Balancing SSL offloading Content based routing Feature Differences Barracuda Load Balancer ADC 440 and higher Programming Interface/API Global Server Load Balancing HTTP Compression Content Caching Barracuda Load Balancer ADC 640 and higher Application Security Subscription Multi port option & optional networking modules Frequently Asked Questions F.A.Q Does the Barracuda Load Balancer ADC balance traffic load across WAN links? No. The Load Balancer balances traffic sent to servers. The Barracuda Link Balancer balances traffic across links. F.A.Q. Can’t I just use DNS to load balance my applications? DNS does not provide health checking or failure detection DNS only provides round-robin scheduling policy Ineﬃcient for most applications DNS does not necessarily provide user session persistence F.A.Q. Can I load balance SSL traffic with persistence without having to decrypt it on the Barracuda Load Balancer ADC? Yes It is not necessary to decrypt packets when load balancing SSL traffic. SSL Offloading is possible but not mandatory Layer 4 IP persistence can be used Layer 7 Cookie, HTTP Header or URL based persistence is not possible without decryption *Functionality lost Deep packet inspection on HTTPS traffic cannot be accomplished without decrypting the traffic. F.A.Q. How does the Barracuda Load Balancer ADC handle Layer 7 persistence (cookies)? If an application creates its own cookie, specify the cookie name in the Load Balancer configuration All traffic with cookie will be directed to the same server If a cookie does not already exist, the Barracuda Load Balancer creates and inserts a unique cookie for a new client When the client returns cookie in responses, the Load Balancer will direct all these responses to the same server F.A.Q Can the Application Security module do a Deep packet inspection for SMTP traffic and protecting against Spams. No, the Application Security Modules does a deep packet inspection on web traffic (HTTP / HTTPS) and FTP traffic. For protection against SPAM on your SMTP server you will required a Barracuda Spam and Virus Firewall. F.A.Q Can the Application security module protect my SOAP application ? No, the XML Firewall currently is not available in the Application Subscription modules. Barracuda does have a Web Application Firewall that has a XML Firewall built in. More information Web site http://www.barracuda.com/loadbalancer Customer case studies White papers Demo walk through Documentation Demo page http://adc.barracuda.com Next Steps Take the BT240 test Listen in upcoming demo Introduce the products to Resellers/ VAR’s Make Your Quota! Thank You