Avaya 8800 Planning And Engineering, Network Design page 287
Ethernet routing switch
Hide thumbs
Also See for 8800:
- Troubleshooting manual (484 pages) ,
- Planning and engineering (306 pages) ,
- Configuration manual (226 pages)
Table of Contents
Advertisement
For sophisticated state-aware packet filtering (Real Stateful Inspection), you can add an external
firewall to the architecture. State-aware firewalls can recognize and track application flows that use
not only static TCP and UDP ports, like Telnet or http, but also applications that create and use
dynamic ports, such as FTP, and audio and video streaming. For every packet, the state-aware
firewall finds a matching flow and conversation.
The following figure shows a typical configuration used in firewall load balancing.
Figure 146: Firewall load balancing configuration
Use this configuration to redirect incoming and outgoing traffic to a group of firewalls and to
automatic load balance across multiple firewalls. The WSM can also filter packets at the ingress port
so that firewalls see only relevant packets.The benefits of such a configuration are:
• increased firewall performance
• reduced response time
• redundant firewalls ensure Internet access
Virtual private networks (VPN) replace the physical connection between the remote client and
access server with an encrypted tunnel over a public network. VPN technology employs IP Security
(IPSec) and Secure Sockets Layer (SSL) services.
Several Avaya products support IPSec and SSL. Contivity and the Services Edge Router support
IPSEC. Contivity supports up to 5000 IPSEC tunnels, and scales easily to support operational
requirements. The Services Edge Router can support up to 30 000 tunnels.
For SSL needs, Avaya offers the Integrated Service Director (iSD) SSL Accelerator Module (SAM).
The SAM is used by the Web Switching Module (WSM) to decrypt sessions and to make encrypted
cookies and URLs visible to the WSM. The SAM offers:
• secure session content networking at wire speed
• offloading for Web servers for better performance
• optimized Web traffic for secure Web sites
• cost savings because fewer servers need to be enabled
The Accelerator also terminates each client HTTPS session, performs hardware-assisted key
exchange with the client, and establishes an HTTP session to the chosen Web server. On the return
path, the SAM encrypts the server response according to the negotiated encryption rules and
forewords the response to the requesting client using the established HTTPS session. You can load
balance up to 32 iSD-SSL units transparently by using a WSM.
June 2016
Planning and Engineering — Network Design
Comments on this document? infodev@avaya.com
Control plane security
287
Advertisement
Table of Contents
