Many businesses will encounter such contradictions in the operation process:
In order to ensure data and network security, the traffic entering the data center needs to be protected by layers of security equipment; at the same time, the business must be uninterrupted 7*24 hours, and the “business first” must also be ensured in emergencies.
However, if the “network security equipment failure” and “service stop access” occur at the same time in the data center, it will be very time-consuming to restore the business operation on the premise of ensuring network security.
Why does this happen? Let’s take a look at the current data center architecture:
↑ Tanghulu string architecture: All network security devices are deployed on the network egress side in the form of physical series or logical series, and provide services according to the mode of active and standby deployment. This architecture mainly has the following problems:
(1) Traffic flows through all security devices, resulting in large network delay
In the serial deployment architecture, user access traffic enters the data center and needs to flow through all security network devices before reaching the server business system, and each security device needs to process the traffic. The serial architecture cannot selectively skip some security devices according to the type of access, thereby increasing the overall access network latency.
(2) Slow business recovery after security equipment failure
In the traditional serial architecture, when both primary and secondary security devices fail, external user access requests are blocked at the faulty device, and the access traffic cannot continue to move forward, resulting in service interruption, which can only be recovered by replacing a higher-performance device. Network, service recovery time is slow.
(3) If the active and standby deployment is used, the resource utilization rate will be low.
Active and standby security devices are deployed. Normally, only the active security device provides security services. When the active device fails, the hot standby device takes over service traffic and provides network security capabilities. The utilization rate of equipment resources is generally less than 50%, resulting in a great waste of security equipment resources.
How to solve these problems?
Guarantee business first, while improving user access speed,
Sangfor brings new ideas——
Sangfor SSLo Traffic Orchestration Solution
Reshape the data center security architecture and transform the traditional candied fruit string network architecture into a new security architecture with device pooling and traffic orchestration——
(1) Traffic orchestration reduces overall latency
Through architectural reconstruction, the “sugar haws string architecture” is transformed into a “daisy chain architecture”, and the security device resource pool is hung next to the SSLo device for unified scheduling. SSLo intelligently orchestrates external user access traffic based on pre-determined policies. By distinguishing different types of application traffic (such as HTTP services, non-HTTP services, general services, etc.) traffic, reducing the overall network latency by reducing the types of devices that flow through.
(2) Start the escape mechanism after equipment failure
Through the form of pooled deployment, the possibility of collective failure of equipment is reduced. In extreme cases, when a certain device fails collectively, SSLo can automatically execute the bypass mechanism through the ability to flexibly schedule traffic, and actively bypass the failed security device group. The problem of a single security device no longer affects the entire network.
(3) Pooling of security equipment resources
Sangfor SSLo transforms the active and standby deployment mode of security devices into a pooled cluster mode by deploying security devices in a pooled manner. Multiple devices can provide security capabilities at the same time, thereby doubling the performance of security groups. By improving the load capacity of a single type of equipment, the possibility of collective failure of equipment is reduced, and the utilization of equipment resources is improved at the same time.
After the remodeling of the architecture, even if there is a risk of blockage of access requests due to a collective accident on the security equipment, Sangfor SSLo will skip the faulty equipment at the fastest speed to ensure that business operations are not affected and customer experience is not affected.
Finally, summarize the “six values” that Sangfor SSLo’s new architecture brings to you:
1. Security SSL traffic visualization: eliminate security blind spots, centralize device encryption and decryption, save security device encryption and decryption consumption, and avoid using SSL to bypass security devices.
2. Controllable traffic intelligent orchestration: Policy-based traffic intelligent orchestration can quickly troubleshoot and save operation and maintenance costs; security test equipment is launched in grayscale.
3. The overall network delay can be reduced: the traffic only flows through the necessary security devices, reducing the unnecessary loss of other devices and reducing the access delay.
4. The performance of security equipment can be expanded: the security equipment is pooled to eliminate idleness and support smooth expansion.
5. The security devices can be heterogeneous: the security devices are loosely coupled, and the same security device realizes brand heterogeneity, and the security function is unbound from a single manufacturer.
6. The return on investment can be improved: After resource pooling, each device can provide services and improve the utilization of equipment resources.
It has become a rigid need to ensure business first in emergencies, especially for industries and enterprises such as finance, energy, and transportation. Once the business stops, it will bring immeasurable losses to key businesses and customer experience. Just because of paying attention to your actual needs, Sangfor AD launched the SSLo solution to escort your business operation.
Leifeng Network
This article is reprinted from: https://www.leiphone.com/category/industrynews/7YFIx4JmBoy7MZhv.html
This site is for inclusion only, and the copyright belongs to the original author.