Full Security and Continuity for Intra-Data Center Traffic
To support 24/7/365 application availability for enterprise operations, redundant data center design with application failover has become the standard. However, many next-gen firewalls lack the ability ensure full security in these environments. Hillstone’s Next Generation Firewalls address this issue head-on with Firewall Twin-Mode, which links redundant firewall pairs across data centers to maintain full security for all redundant data center traffic flows. With Hillstone Firewall Twin-Mode, enterprises can achieve workflow agility and 24/7/365 business continuity while maintaining full data center security.
About Data Center Redundancy
Uptime is critical for many industries, like financial services, healthcare, service providers and others. Performance and security are required to protect against loss of application access or data, either of which can damage revenues and reputation. Redundant data center design mitigates the impact of hardware, software and data center failures, allowing systems and the business to continue to operate 24/7/365.
In a redundant data center architecture, critical business systems run in two or more data centers at the same time, and users are served via multiple data centers which also function as backups for each other. In a failover event, another data center takes over and continues to provide services without interruption. In addition, a redundant configuration effectively doubles the capacity of a given data center through resource integration.
Maintaining Security
In order to protect sensitive corporate data, stateful next-gen firewalls are deployed at the data center perimeter and inspect all traffic for threats and anomalies. Unlike routers, load balancers and other data center hardware devices that use Data Center Interconnection (DCI) devices, however, firewalls need to analyze the state of sessions in order to accurately apply security policies.
When multiple redundant data centers are serving applications and data for users, though, a session might traverse a different firewall than the one on which it originated. The second firewall would be unaware of the session established on the first firewall and drop the session as suspicious. This type of asymmetric traffic flow can occur in multiple scenarios within redundant data centers.
Firewall Twin-Mode for DC Redundancy
Hillstone’s Firewall Twin-Mode addresses the issue of asymmetric data flows by synchronizing pairs of redundant data center firewalls through dedicated data control links. Sometimes called overlay transport virtualization (OTV), twin-mode creates a single logical firewall comprised of all firewalls in the redundant architecture.
Through twin-mode, session configuration and state information is synchronized across all linked firewalls. Data flows are routed appropriately, session state is maintained, and the requested information is seamlessly delivered to the user.
Synchronization
Automatic synchronization of firewall configuration and session information across multiple data centers, which allows stateful firewall failover to ensure business continuity
Data Flow Security
Secure asymmetric data flows across data centers to protect sensitive data and defend against intra-data center transfer of malware and other threats
360° Visibility
Full visibility into all intra-data center traffic through Hillstone’s security management platform interface, as opposed to traditional DCI traffic which is often invisible to admins
Reliable Continuity
Full security and 24/7/365 business continuity across a wide variety of data center high-availability architectures