This unit describes how ISNP device can be deployed in HA

Implementing high availability using IBM Security Network Protection v5.3
This unit describes how ISNP device can be deployed in HA networks.
© Copyright IBM Corporation 2014
1
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
2
Implementing high availability using IBM Security Network Protection v5.3
This lessons explains different HA design configuration.
© Copyright IBM Corporation 2014
3
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
4
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
5
Implementing high availability using IBM Security Network Protection v5.3
In Fail Open mode network communication is not distrusted but risk of attack is increased because
there is no deep placket inspection.
© Copyright IBM Corporation 2014
6
Implementing high availability using IBM Security Network Protection v5.3
The goal is to avoid lost of network traffic, so we are talking here about network HA.
A standard configuration for High Availability (HA) is to have dual data paths.
Note that ISNP does not redirect traffic around a network problem. This is something that firewall,
router and switches do when in a HA configuration but not ISNP.
Link State Propagation and Active bypass helps in HA design.
Link State Propagation – if the link goes down on one side of the ISNP bring link down on the other
side.
Active bypass can help in non disruptive flow of the network traffic.
© Copyright IBM Corporation 2014
7
Implementing high availability using IBM Security Network Protection v5.3
Auto. The appliance selects the appropriate setting that is based on the interface mode:
In inline modes, link propagation is enabled. In monitoring mode, link propagation is disabled.
Because in the most network design, missing link indicates that other side should take some HA
action, then propagation of the failed link is the most common behavior of the appliance's interface.
© Copyright IBM Corporation 2014
8
Implementing high availability using IBM Security Network Protection v5.3
It is very common that business requires that network traffic is not cut off, if the network appliance fails.
So in a case of non-HA design, business usually accept the risk that network traffic is not inspected by
the security appliance then to shut down all network traffic including the important for the business.
© Copyright IBM Corporation 2014
9
Implementing high availability using IBM Security Network Protection v5.3
This lessons explains different HA design configuration of ISPN appliance.
© Copyright IBM Corporation 2014
10
Implementing high availability using IBM Security Network Protection v5.3
For Active/Passive:
Traffic flows on only one of the redundant network segments.
The primary device handles all traffic until one of the appliances fails, at which point traffic fails over to
the secondary appliance and it assumes control
For Active/Active:
Traffic is load balanced.
Both appliances are active and see traffic at all times
XGS has no HA performance penalty - In both configuration appliances inspect the same amount of
traffic only depends does it come from inspections or mirror ports.
© Copyright IBM Corporation 2014
11
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
12
Implementing high availability using IBM Security Network Protection v5.3
Again, the appliance is aware of the GREEN network communication as has a copy of the past traffic.
© Copyright IBM Corporation 2014
13
Implementing high availability using IBM Security Network Protection v5.3
PAM uses a large state table to interpret protocols and view all traffic.
Without the packets and acknowledgments being seen in the same PAM state table, the table loses
accuracy.
© Copyright IBM Corporation 2014
14
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
15
Implementing high availability using IBM Security Network Protection v5.3
This lesson explains some limitations of HA design with ISNP.
© Copyright IBM Corporation 2014
16
Implementing high availability using IBM Security Network Protection v5.3
Note: For commercial version, replace the blue callout with a graphic on LMI network graphs and a
“displays mirror and inline port traffic” label/callout.
© Copyright IBM Corporation 2014
17
Implementing high availability using IBM Security Network Protection v5.3
Note: When both appliances are configured to fail closed, it is important to apply updates serially and
maintain network connectivity.
Place HA pair appliances in the same group so that SiteProtector can synchronize the appliance
policies and updates
Licensing for an HA configuration is identical to licensing for a non-HA appliance. Each individual
appliance requests a single license from SiteProtector™.
© Copyright IBM Corporation 2014
18
Implementing high availability using IBM Security Network Protection v5.3
You can configure the ISNP appliance to create authenticated user sessions transparently when it
receives a logon event from the IBM Security Logon-event Scanner. The Logon-event Scanner scans
for Active Directory logon events and sends the events to the appliance. However the Logon-event
Scanner does not support sending events to more than one appliance. Because only one of the HA
partner appliances receives this data, user session data is not synchronized between the HA partner
appliances.
© Copyright IBM Corporation 2014
19
Implementing high availability using IBM Security Network Protection v5.3
Using browser refresh takes care for the most of the cases for HTTPS traffic.
© Copyright IBM Corporation 2014
20
Implementing high availability using IBM Security Network Protection v5.3
Some portions of the HTTPS page might fail to render during the failover process, but this failure is
corrected when you refresh the browser
© Copyright IBM Corporation 2014
21
Implementing high availability using IBM Security Network Protection v5.3
© Copyright IBM Corporation 2014
22