Application Firewall

Application Firewall

 > Products>Network Security>Application Firewall >Related Resources >Technical White Paper >Technical White Paper on DPtech Cloud Board
Technical White Paper on DPtech Cloud Board

\ Download

1. Challenges Faced by Traditional Service Board Stacking

As a traditional method of expanding service boards, multiple service boards are added to a single service board. This way of stacking brings about a number of new issues:

Sensitive applications (such as online banking and online games) will be affected.



Fig. 1 Stacking of service boards leads to issues in online banking and gaming systems


As shown above, when the user network segment uses online banking services, it passes through the frame device, where the NAT is performed to enable its access to the public network. Service Board 1 uses NAT_POOL1 and Service Board 2 uses NAT_POOL2. After passing through the two service boards, the user network segment has access to the Internet in the manner of session traffic load.

The online banking system is composed of an online banking login system and an online banking service system, the two providing online banking services using different servers and IP addresses. Suppose the public network address 1 is used for NAT when the user logs into the online banking system from Service Board 1. For query or money transfer, the user initiates a new session request of access to the online banking service system, and the device will forward the session from the Service Board 2 (NAT_POOL2) after NAT. However, according to online banking systems that are security-sensitive, there may be multiple people operating the online banking system due to the changes to IP address, indicating there are hidden security risks, so they will disconnect the user's session.

Access to online games is exactly the same as that of online banking systems. Therefore, stacking of two service boards will affect these applications.

Multi-channel ALG applications will be affected



Fig. 2 Stacking of service boards leads to issues in ALG services.


As shown above, an intranet user needs to access to the FTP server in DMZ zone, where two service boards are responsible for traffic load sharing. For ALG services such as FTP that possess multiple session channels, the service boards need to be aware the multiple channels and enable the connection, so that data connection initiated from FTP servers can be allowed to pass through the service boards. As shown above, FTP control connection is established through Service Board 1, which detects the internal channels of FTP through the PORT command launched by the FTP Client and opens the data connection port for FTP data transmission. If data is transmitted through Service Board 1, then the FTP data transmission is normal. But if data is transmitted through Service Board 2, then the FTP data transmission is abnormal as the data connection is disconnected by Service Board 2 since there is no detection of ALG on Service Board 2 and no channel can be detected. This occurs to other ALG services, such as Netmeeting, H323, SIP, PPTP and netbios-ns.

In short, the stacking of two service boards in traditional solutions fails to allocate resources in a rational manner, forcing a single session stream to pass through a single service board. If the two boards are used together and the session traffic flows between different boards, exceptions may occur to online banking, gaming, ALG services, and other applications, which is catastrophic to users.

2. Introduction to DPtech Cloud Boards 

By definition, DPtech Cloud Board performs virtualization on multiple service boards to form a Cloud board. It is logically equivalent to only a working service board, with physical service boards connected through high-speed binding interfaces. Reasonable allocation of resources is realized by using a traffic distribution algorithm.

DPtech Cloud Board features the following advantages:

♦ Virtual configuration management, eliminating separated configuration of a single board

♦ Even load sharing among multiple boards and automatic scheduling of service traffic

♦ Redundancy among multiple boards, enabling automatic switchover in case of failure and improving reliability

♦ Synchronized expansion of device processing performance and port density


A vital feature for frame devices lies in its scalability of performance and functions, which is realized by supporting rich services boards and allowing flexible expansion as needed.


Fig. 3 Firewall Configuration of Cloud Boards


DPtech performs virtualization on multiple service boards using reasonable algorithm and session backup mechanism to form a Cloud board. It is logically equivalent to only a working service board, which helps greatly improves the performance and reliability of the device. Below is a diagram of the Cloud board:



Fig. 4 Logic Diagram of the Cloud Board

Virtualized Cloud board can solves the problem of simultaneous use of multiple service boards. As traffic only flows through the Cloud board, it will not affect ALG, online banking, gaming and other special services. In a word, Cloud board is the ultimate choice for virtualization. As shown in the figure below:


Fig. 5 Cloud boards solve ALG application issues in online banking and gaming systems


DPtech Cloud Board technology is user-friendly and can cater to the network construction requirements of high performance and high reliability by addressing issues caused by traditional stacking.


Subscription account Service account

Leave a message

Leave a message

Official wechat Official Weibo

Legal Statement ©2008 - 2024 Hangzhou DPtech Technology Zhejiang ICP Registration No. 09001402 浙公网安备 33010802011733号

Leave a message