One for All
Crossbeam's behemoth lets you house all your security applications under one roof.
March 3, 2003
The chassis comprises a series of diskless Linux workstations that connect to the operating system via an NFS (Network File Sharing) mount. The X40 Crossbeam I tested in our Syracuse University Real-World Labs® had two network blades, two management blades and five application blades, but the unit can handle a maximum of 10 application blades. The blades are tied together through the backplane to the management and network interfaces. The X40 automatically assigns and reassigns blades for your application needs: Simply ask it to give you two blades for firewalls, and the X40 does the rest. For logging or storage, you can outfit the application blades with a local hard drive.
CrossBeam X40click to enlarge |
Crossbeam lets you configure the X40 via a connected console cable, telnet or SSH, or from the Web GUI. The first step is to create Virtual Application Processor (VAP) groups--a selection of blades for failover or load-balancing. Next you need to prioritize the blades for failover. In the event no standby blades are left, you'll have the option to swap out a blade with a lower priority. Although you can give the VAP groups multiple applications to run simultaneously, Crossbeam recommends one application per blade.
I asked the X40 to assign two Check Point Software Technologies firewalls in load-balancing mode, one Snort IDS and Trend Micro's InterScan VirusWall antivirus product to the blades. This left me with one application blade for standby.
Running the Circuit
I indicated the IP addresses of the VAP groups and assigned IPs for the internal and external ports of my firewall and antivirus groups. The Snort IDS sits in promiscuous mode, so I didn't need to assign it an IP. Then I designated the paths over which traffic would flow. I set VirusWall to scan all Web traffic for viruses by using the antivirus product as a Web proxy. I also set up a rule that VirusWall would forward its traffic to one of the Check Point firewalls, and I configured the firewalls as if they were standalone boxes. Finally, I tied my circuits to physical interfaces, and I was ready to test.SUB: FTP 5,000
I ran 5,000 simultaneous FTP transfers to test connectivity and failover. The X40 displays traffic on a monitoring interface, so I could see which of the two firewalls was inspecting my IP traffic. I pulled the associated blade out of the chassis and watched it fail over to the secondary with only a short pause. The standby blade booted, and within a few minutes I had two firewalls. I questioned the delay and discovered that when a blade is repurposed or removed from standby mode, it has to load a new operating system image.
I set up a client to proxy Web traffic through the antivirus blade's IP. I then tried to download an executable containing the Happy99 virus, and Trend's VirusWall blocked it. Then I gave the VAP assigned to the Trend application a higher priority than the IDS VAP group and failed the Trend. The X40 took down the IDS and brought it back up as a Trend blade. The device can also be configured to fail over to one of the two firewall blades, but one firewall will always be active.
The physical interfaces can also be set up for failover. I assigned the gigabit ports as primaries and the 10/100 UTP ports as backups. When I unplugged the fiber cable, the device failed over seamlessly. You can configure the X40 so it will switch back to the master when it comes online or so an administrator must switch it back manually.
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].
You May Also Like