Foundry extends server, security pack

By Phil Hochmuth
Network World, 09/10/01

ATLANTA - Upcoming software from Foundry Networks could help customers better manage firewalls and Web servers in the event of unexpected or seasonal surges in Web traffic. The software will also stop common denial-of-service attacks at a Foundry load-balancing switch before the attack can affect Web servers or firewalls.

Set to be unveiled at NetWorld+Interop 2001 in Atlanta this week, the latest version of Foundry's ServerIron IronWare switch software can be applied to Foundry's chassis-based ServerIron 400 and 800 boxes, which are aimed at large-scale Web server farms or consolidated enterprise data centers. The ServerIron supports up to 24 Gigabit Ethernet ports and 128G bit/sec of capacity, while the ServerIron 800 maxes out at 56 Gigabit ports and 256G bit/sec of capacity.

A company's Web server administrator could use the Symmetric Server Load Balancing (SSLB) feature in the software to double a the load-balancing capacity in a server farm while making failover between switches more reliable. This is done by having both switches actively balance traffic among multiple servers. ServerIron boxes configured in this "active/active" method can handle a failure in milliseconds instead of seconds. Today, many customers deploy one load-balancing switch and an inactive back-up switch for fail-over protection.

An IronWare feature called Active Square firewall load balancing now lets load balancers share active session information and pass incoming and outgoing traffic through different firewalls. This can double the throughput of firewall packet inspection in a network, the company says.

The IronWare release will also include security features, such as SYN Guard, for cutting off DoS attacks at the switch, instead of a firewall. Also included is a connection rate-limiting feature for capping the number of sessions a firewall or Web server can accept to avoid device overload and failure - such as increased e-commerce traffic at Christmas or spiking traffic to an accounting server during a businesses' end-of-quarter finance closings.

SYN Guard expands on the SYN Defense feature of previous IronWare versions, which let a ServerIron monitor synchronization (SYN) packets from an incoming client request. SYN packets are sent by a networked device to initiate a TCP/IP transaction with another machine. A commonly used DoS tactic is to deluge a Web server with SYN request packets that the server cannot answer.

A ServerIron using SYN Defense can identify SYN packets sent from a client that are not followed up by an acknowledgement packet from the sender - necessary for a TCP/IP handshake to occur. The switch would then tell the server to drop the requests.

SYN Guard goes further by acting as a proxy for a Web server, requiring that the entire TCP/IP handshake occur between the switch and a client before letting the connection be processed by the server. The switch monitors for unfulfilled SYN packets, Foundry says, ensuring that a server is shielded from SYN flood attacks - even distributed denial-of-service attacks, which could have overwhelmed sites using SYN Defense.

Foundry's ServerIron switches compete with products such as Cisco's Content Service Switch product line and Nortel's line of Alteon Web switches, as well as products from CacheFlow, Extreme Networks, Infolibria and Top Layer. The IronWare software for the ServerIron 400 and 800 switches is available now as a free download for IronWare users with an active support contract.