A server farm is a physical location having a scalable infrastructure and facilities and resources enabling users connected to the Internet network to easily access a number of services provided by a plurality of customers hosted by the server farm. Generally, the resources are located in premises owned by a data processing equipment provider such as the IBM Corporation.
Most server farms are used today to host Internet related devices (for example WEB servers) of several customers. The architecture of such a server farm includes a local network to which are connected the customer cabinets and an Internet front-end connecting this local network to the Internet. Such a local network includes different layers of components such as switches and firewalls through which requests from the users connected to the Internet are routed towards the customer cabinets.
The firewalls are intermediary devices between the local Network and the front-end. They are connected by a LAN to an Internet Access Router (IAR) which may be directly connected to the Internet network. For redundancy, there are two firewalls connected to the IAR, a primary firewall and a secondary firewall. At a given time, all communications are established through the primary firewall. If the primary firewall fails, the secondary firewall becomes the primary firewall and all the communications pass through it.
The firewalls present all the characteristics of a router with the addition of security filtering features known as firewall rules. Firewalls also have the capability to inspect IP packets and track the state of sessions going through the firewall and established between any of two devices separated by this firewall. This overall process, which is known as “Statefull Inspection”, includes checking that every backward connection is associated with an existing forward connection and in following the state of a connection to allow only packets that are in the right sequence level of the connection to proceed. This means that, if a connection is established from an end user to a WEB server (forward path) through a first firewall, all the responses coming from the WEB server to the end user (reverse path) will have to go through this firewall. If any firewall receives a reverse path frame without having received a forward path frame, it will drop the reverse path frame. If any firewall receives a data packet while the session is only at the connecting state, the firewall will drop the data packet.
In the local network, a protocol such as the Virtual Route Routing Protocol (VRRP) is used between the firewalls. VRRP allows the customer WEB servers to see the redundant firewalls as a single virtual firewall. At any instant, only one firewall really owns the virtual firewall function based on the availabilities of the firewall interfaces or on static priorities associated with them by configuration. The individual interface having the highest priority is the one elected to own the virtual firewall interface. The associated firewall acts as the virtual firewall until it fails or until another interface with a higher priority appears. A first firewall can own the virtual firewall function for a subset of the customer servers while the other firewall can own this role for another set of customers. In other words, this first firewall or primary interface firewall owns the primary interface of the VRRP group of interfaces to each one of these customer servers.
As at least two firewalls connect the local network to the Internet, each one of the customer WEB servers may be reached by at least two different paths going through each of the firewalls. Because of the Statefull Inspection mode in the firewalls, what is known as “symmetrical routing” is required, meaning that the forward path of a connection should be identical to the reverse path.
However, such a communication system has to meet two requirements. The first requirement is to allow different customer servers to communicate between themselves. This means that all customer servers should have the same primary interface firewall by configuration in order to provide symmetrical routing, all the customer servers being switched over the secondary interface firewall in case of firewall failure.
However, the second requirement is to allow the use of both firewalls at the same time rather than only one at a time, for better use of the resources and for higher availability. In view of the first requirement of symmetrical routing for the customer servers communicating together, the second requirement is not met insofar as two customer servers must use the same firewall at the same time to avoid the frames on the reverse path from being dropped.