Keith Bromley
Sr. Manager, Product Marketing at Ixia

The Best Way To Optimize Load Balancing for Inline Security Appliances

April 24, 2019 by Keith Bromley

In today’s 24x7, “always on” world, the company’s data network must be as reliable as possible. Otherwise, revenue reduction and productivity losses are not only possible, but probable. This includes inline security and monitoring tools which can become a single point of failure. Security and monitoring tool survivability is often thought about in terms of fully redundant devices, especially in the case of inline deployments. However, an alternative is to implement an n+1 option for component redundancy. Load balancing provides this cost-effective alternative to full component redundancy.

Load balancing is not a new IT concept. IT engineers have been using static load balancing appliances to set up redundant network paths and survivability for several years. However, what is new is that a network packet broker (NPB) can be used to dynamically perform the load balancing and provide scalable n+1 survivability in a cost-effective manner. Besides increasing survivability, load balancing performed by a dynamic device like an NPB can increase tool utilization. I’ll demonstrate the concept in just a minute.

First, what is load balancing specifically? Load balancing is the ability of a device to take incoming traffic and spread that traffic across multiple output ports. For instance, incoming traffic at 40 Gbps could be distributed to either one 40 Gbps device, two 20 Gbps device, four 10 Gbps device, or some other combination of devices to process the required data. This has very tangible and valuable benefits when deployed in an inline monitoring scenario.

Just to be clear, let’s perform a level set on inline security as well? As the name implies, inline security capabilities are created by taking your security tools and inserting them into the core flow of data across your network. The data MUST pass through the tool(s) before continuing downstream. Firewalls are one example of this technology. They are placed at the entry into the network to allow or deny traffic that is specified in the access list, i.e. known bad IP addresses, company specified bad IP addresses, etc. Security tools like an intrusion protection system (IPS), web application firewall (WAF), next generation firewall (NGFW), SSL/TLS decryption, and forensic tools, can be inserted inline as well.

Once a packet broker is inserted into the network, it provides the capability to aggregate, filter, deduplicate, load balance, decrypt SSL/TLS traffic, and provide serialization of the security tools. Inline versions of NPBs also contain heartbeat and fail-over capabilities to properly handle data continuity and high availability situations. The main purpose here is to optimize the flow of data going to the security tools.

The entry of the NPB allows for multiple new inline capabilities within your security architecture including:

  • Improved uptime
  • Extensive fail-over options 
  • Cost savings resulting from load balancing across multiple tools
  • Built-in recovery options

By contrast, static load balancers have to be reconfigured every time changes are made. You also lose the dynamic nature of tool fail-over and recovery.

Okay, so let’s look at an example. Suppose an enterprise has deployed up to eight IPSs for their redundant high availability solution. Four IPSs were needed to handle the traffic load and four were there for fail-over to create the high availability solution. With a bypass switch and the NPB we have been talking about, these components support heartbeat and fail-over capabilities natively within the devices. When these tools are inserted into your security solution, you can reduce the amount of IPSs that you need, as you no longer need an n+n solution. You can lower the equipment to an n+1 or maybe an n+2 solution (if you want to be really conservative). The NPB can sense the failure of an IPS with the heartbeat signaling and re-route traffic to your spare IPS appliance.

Here is a pictorial of the two options:

Redundancy vs load balancing

In addition, the spare IPS doesn’t have to be a spare at all. It can be used in a load sharing situation with the other IPSs during normal operation. This means you now have five fully functioning IPS appliance. Should anyone of them fail, the remaining four will handle the load. Even if a second IPS fails, the remaining load is split across the three remaining appliances. However, during an overload situation, those three devices can drop data until either the load is reduced or a fourth IPS appliance is added back into the equation.

n+1 load balancing

When you look at the economics of this use case, you can actually save money—maybe up to 50%. The cost of the bypass switch and NPB is typically less than one IPS. If you can save the cost of two or three IPSs, then you have the extra cash you need to purchase additional tools (maybe a WAF, a threat analysis tool or some forensic tools). The net result is that you can buy MORE equipment with the SAME monetary investment.

If you want more information on this topic, you can look at the Ixia Solution Brief on load balancing and Definitive Guide to Visibility Use Cases ebook.