1. Field of the Invention
The present invention relates generally to computer networking and, in particular, to a system that performs clustering of firewalls in multiple network servers.
2. Discussion of Related Art
Increasing numbers of companies are conducting transactions and building relationships online, with consumers and business partners in a phenomenon called “e-business.”
E-business is usage of Internet-based technologies to improve communications with customers and information exchange with business partners, and to increase sales. Web sites, electronic commerce, intranets, and extranets are all examples of E-business entities. Many Web, DNS, proxy, FTP, firewall, and application-server services are needed in any of these environments. If any of the services fails or responds slowly, the entire system suffers. Downtime in today's highly competitive marketplace can mean lost revenue and lost credibility.
Adding more memory or substituting a larger server can expand the capacity of an E-business entity, such as a Website. In either case, expansion requires downtime and an additional capital expenditure. In conventional systems, the only way to supply a reliable capacity to meet a rapidly increasing demand is to purchase computing power far beyond that which meets current needs. Then, once the demand exceeds the purchased computing power, the entire computer must be replaced and the purchase cycle repeated. The conventional business practice is highly inefficient, wasteful of operating expenses, and inadequate for meeting customer needs.
One technique for improving the reliability and responsiveness of Internet sites is the usage of server clusters. Server clusters are arrays of servers that share common tasks while appearing to external devices as single resources. In a cluster each server shares the load that would be handled traditionally by a large server alone. A user accesses a cluster in the same manner as a single server is accessed.
One type of device server that can be arranged in a cluster is a proxy server in a firewall. The proxy server is a component of a firewall that controls internal users' access to the outside world, for example the Internet, and Internet users' access to an Internal network. In some cases, the proxy server blocks all outside connections and only allows internal users to access the Internet. The only packets allowed back through the proxy server are packets that return responses to requests from inside the firewall. In other cases, both inbound and outbound traffic is allowed under strictly-controlled conditions.
Clusters improve both reliability and scalability of operation in comparison to single-server operation. Redundant servers in a cluster support tolerance to system failures.
Several basic approaches to Internet server clustering and load balancing are presently available. One approach is the usage of software executing on one or more servers to create clusters of Internet Servers. The clusters are peer-to-peer clusters with no arbitrator or manager. According to measurements using benchmarking tools, software-based cluster performance is generally poor, since servers in the cluster must devote significant amounts of computing power to manage the cluster. Also, communications among the servers for cluster management and resource arbitration add large amounts of data onto the network connecting the servers.
A second approach is the usage of “load balancing” software executing on special-purpose industrial PCs. A PC executing the load balancing software broadcasts its PC Internet Protocol (IP) address as an identification address of the cluster of Internet servers. As network traffic is received, the load balancing system uses a technology known as Network Address Translation (NAT) to modify each packet, changing the destination address from its IP address to the actual address of the server that is to receive the traffic. The server responds to the request and the PC load balancing software again uses NAT to modify the “From” address in each packet to create the appearance that the PC load balancer sent the packets. PC load balancers are restricted to applications that use TCP/IP (Transmission control protocol/Internet protocol), effectively limiting the applications to technologies including Web servers, firewall servers, and proxy servers. The TCP/IP products usually become a bottleneck for data traffic into and out of the cluster, slowing overall performance. NAT technology requires that the body of each packet be available to the processor, so a cluster based on a PC load balancer cannot be used if the data packets are encrypted.
A third approach is the usage of load balancing software that executes from a local area network (LAN) switch rather than a PC. Execution from the switch hardware increases data transfer rates but remains based on NAT technology using TCP/IP, limiting applications to Web servers, firewall servers, and proxy servers. Switch-based and PC load balancers cannot be used when the data packets are encrypted.
What is needed is a firewall system and operating method that attains very high data throughput rates and supports all Internet protocols.