Today, a server farm is a physical location having a scalable infrastructure and all the facilities and resources, enabling the users connected to the Internet network to easily access a number of services provided by a plurality of customers. Generally, the resources are located in premises owned by a data processing equipment provider such as IBM.
Most server farms are used today to host WEB servers of several customers. The architecture of such a server farm includes a local network to which are connected the customer servers and an Internet front-end connecting this local network to the Internet network. Such a local network includes different layers of components such as switches and firewalls through which the requests from the users connected to the Internet network are routed.
Generally, there are a plurality of servers which are associated with one or more customers, where several servers associated with a customer constitute a group or cluster of servers. In this case, the local network is connected to the customer servers through a dispatching device in charge of dispatching the requests from the users to the appropriate customer server. The function of the dispatching device is not only to send the user requests to the right cluster of servers if there is more than one cluster, but also to select a server in the cluster in accordance with load balancing rules. Such a solution is preferable to using hardware and software dedicated to each customer, a solution which is too expensive. Nevertheless, this shared solution results in the risk that one of the customers impacts the other customers unless appropriate features for sharing are included in the system.
A dispatching device presents all the characteristics of a router (that is to route packets based on the IP address or other IP packet characteristics) without the typical port-related security filtering features known as access lists that exist with most true routers. Therefore, the use of such a dispatching device results in a security breach in that this configuration allows one customer server to access another customer server through the dispatching device. Note that there may be a normal flow between customer servers and the dispatching device used by the load balancing algorithms to check the presence or the load of the servers.
Several approaches could be used to remedy the above drawback. A first approach would consist of forbidding any traffic whose source address matches with some other customer's characteristics, for example by setting list controls in the ports of the switches sending traffic to a customer server. This approach is inefficient since source addresses can be faked by the originating server, and would necessitate modification of each access list of other ports when a new customer is added.
A second approach consists of forbidding any traffic whose destination characteristics match with some other customer's characteristics by setting list controls in the ports of the switches located between the customer servers and the dispatching device. A drawback of this approach is that each time a new customer server is added, each access list for all the other ports connected to the other servers (of the other customers or the same customer) must be updated.
A third approach would consist of allocating in advance customer space characteristics so that all can be configured at once and the same configuration can be applied to each new addition. A drawback of this approach is that it is difficult to pre-allocate resources in this environment since these resources must correspond to the maximum requirements thereby resulting in a very important cost.