The New York City Department of Homeless Services and those it serves can’t wait around while critical application servers are being fixed. The agency, which serves hundreds of families a month, must make sure that everyone who needs housing gets it, pronto.
Unfortunately, the agency’s network lacked high availabillity, and communications instability caused outages that made it challenging for DHS to service its clients, explains Valery Dmitriev, chief security officer and director of network operations at the agency. “That meant that the whole process of taking people in, entering them in the system and finding them shelter was unavailable or delayed. It was unacceptable.”
But after deploying Radware’s LinkProof load balancers last July, IT was able to seamlessly distribute application requests across several data center servers hosting its homegrown Client Tracking system, improving availability for its 1,800 employees, who were spread out in 13 offices across the city.
As organizations move to centralized data centers and support critical applications across wide-area networks, they need to balance application load while offloading key application-level functions, such as security, SSL encryption or content switching, from overburdened servers. For that, they deploy load-balancer appliances.
“It’s more than just simple load balancing today,” says Joe Skorupa, research vice president of enterprise network services and infrastructure at Gartner. “In addition to significantly improving performance and reducing server loads, these products are ideally positioned to examine traffic and find performance and security problems.”
The LinkProof deployment also aids the agency’s continuity of operations program. “After Sept. 11, we became part of FEMA,” Dmitriev says.
“So if there is an emergency, natural disaster, terrorist act or whatever in the city, we have to provide shelter for not just the homeless, but everyone else, the citizens. That raises our bar quite a bit.”
Now, if there’s an outage, the LinkProof load balancers seamlessly reroute application traffic to the agency’s recovery site, ensuring access. Such uptime is key, not just as a safety and moral imperative, but also as a financial issue.
“We needed a system that was flexible enough to load balance applications and provide users with a seamless experience, regardless of where the application is coming from,” Dmitriev says. “Because for us, downtime is equal to dollars.”
In the past, if DHS was unable to process a family in a timely way, it was liable to Legal Aid Society fines of up to $100 per person per day. But with the new system in place, DHS is no longer subject to such penalties.
The Ohio Department of Insurance benefits from Barracuda Networks’ Load Balancer 640 devices, which stream-line access and improve communications between its web and data servers. Network Manager Dominic Lacich notes the 640s also provide intrusion detection and prevention, enabling him to move the web servers in from the dimilitarized zone and add a layer of security.
Not only has the new setup offloaded the agency’s perimeter firewall, because the load balancers sit between it and the internal servers, but also the agency no longer sees communication errors between the web servers and the back-end data servers. On top of that, network uptime has improved significantly.
“Over the past three months since I had the Barracudas in place, I went from 97.89 percent to 99.7 percent availability,” says Lacich. “That number includes maintenance, so that’s a pretty impressive improvement.”
Compression and Content
The new load balancers also work to minimize bandwidth expenses. Tom Drogseth, manager of the technical systems engineering unit within the IT division of the State Court Administrator’s Office in the Minnesota Judicial Branch, rolled out Citrix Systems NetScaler load balancers to support the country’s first statewide case management system.
When the division replaced its old case management system in 2003, it knew the new system would use more bandwidth. “Either we had to add a lot of bandwidth across the state or we had to somehow compress the data going out to the different counties,” says Drogseth.
A pair of NetScalers balance the traffic coming into its four web servers from 3,500 users and 640 noncourt state agencies, but also handle inbound and outbound compression.
One day in early June, the New York City Department of homeless services offered provisional housing for nearly 35,000 adults and children.
“With the NetScalers in place, we’ve seen an 80 percent reduction in the amount of bandwidth usage, so that was a huge gain for us,” Drogseth says. That savings meant the court was able to pay for the devices in less than a year.
The NetScalers also perform higher-level application functions, including SSL encryption termination, TCP/IP offload and content-switching.
“The NetScalers really help us in the sense that they compress the traffic and take the load off a server from doing the SSL termination, or building the TCP stack and breaking that back down,” says Senior Network Analyst Shaun Weishalla. “They do multiplexing as well, so they will hold those connections to the server open, meaning they don’t have to open and close them constantly for reuse. It’s a huge savings.”
Drogseth is also looking to implement a new application-level firewall in conjunction with the NetScalers that will use content switching to make the application PCI-compliant.
Beyond the Basics
Load balancers offer a wealth of application-level features and functions. Here are some to consider:
- Secure Sockets Layer Encryption Termination. Rather than forcing the application server to deal with the overhead of terminating SSL encryption, most load balancers can offload such tasks, freeing up the application server to do what it does best: serve applications.
- Compression. Load balancers save on bandwidth by ensuring that traffic loads are distributed evenly among back-end servers, but they can also perform significant bandwidth savings duties such as compression and traffic shaping.
- Content-switching. Another key security feature some products offer is content-switching, where the load balancer filters for certain data strings, such as credit card numbers or Social Security numbers, and ensures they are blocked before being carried across the WAN. This helps prevent data leakage.