Date: March 14th 2009

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

March 2009
Volume 2, Issue 3


In this issue:
* Editorial
* IT Industry news: Long AS path causes pandemonium on the Internet *
* Mettle SE Feature: Mettle SE Active Failover Stack *
* Tip Of The Month: Changing Default Web GUI Administration Port *
* Case Study: Mettle SE at the Indian subsidiary of US based Asset Management Company *


* Editorial *

Greetings,

In this month's news letter we present the case study of a client that uses two Mettle SE
devices in two campuses a few kilometres apart.

Learn how to set up a failover stack using Mettle SE in this issue's Mettle SE fail
feature.

As usual we expect your feedback and suggestions which help to improve this newsletter and
the Mettle Range of products.

Thank you.

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)


* Industry News: Long AS path causes pandemonium on the Internet *

Internet routing is a cooperative effort, routers inform their neighbouring routers about
routing announcements and what they know; the information is relayed all over the world.
The information that is passed around to neighbouring routers are prefixes, which are
blocks of IP address that are routed in the same way. There is often more than one way to
reach a given prefix. Routing announcements relayed by routers include various attributes
so that everyone can choose a preferred path to each prefix; one such attribute is the
Autonomous System (AS) Path, which is the list of organisations (list is the Autonomous
System Number (ASN) of each organisation) that have to be traversed to reach the prefix.

If network administrators don't want routers to select a particular path they artificially
lengthen the path so that it is only chosen as a secondary route. They could effect this
by making the announced path artificially long. The average path length on the Internet is
only around 4 AS numbers. So if the path is made a little bit longer, by one or two AS
numbers, it generally will not get selected and will accomplish the objective of being the
path of last resort.

On Monday, Feb 16th a slight misconfiguration on a Czech company's router slowed down the
entire Internet. The small company briefly caused widespread router problems across the
globe which slowed down the Internet. The problem was caused when the company, SuproNet,
provided a crucial bit of information to other routers telling them how to reach
SuproNet's site or IP address from other locations. In this recent mishap, SuproNet
lengthened its path for its secondary route by several orders of magnitude greater than
was either needed on the Internet. As its routing announcements were propagated over the
Internet, the sheer length of SuproNet's path information caused routers to end their
sessions with the immediate source of that data.

What seems to have happened was a massive buffer overflow. While most core routers of
major ISPs were unaffected, older routers choked by processing the ridiculous path and
sending it on. This caused widespread network disruptions and slowdown around the globe.
While SuproNet's AS path length was unusually long, that alone should not have created the
cascading set of problems around the Internet. Instead the problem has to do with a bug in
Cisco routers that makes its Internetwork Operating System susceptible to problems when
they encounter such long AS paths. These Cisco routers were located all over the world
which made it a global event. The Cisco routers choked on the path and
assumed that the input was junk and broke down connections with the source.

The matter was resolved when SuproNet changed the AS-path information after apparently
being informed about the problems its routing update was causing around the Internet.

For more details:
http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml


* Mettle SE Feature: Mettle SE Active Failover Stack *

Hardware redundancy is a de facto standard of a high availability installation. Hardware
redundancy provides immense reassurance and relief for businesses running mission critical
operations. Active hardware redundancy provides a very high level of reliability which
will keep the operations up and running seamlessly even if a core device fails. For an
active hardware redundancy to work, the participating core devices should support it.
Mettle SE has the support for such a configuration if need arises. Mettle SE implements
active hardware redundancy with the help of Common Address Redundancy Protocol (CARP).

The pre requisites for setting up an active Mettle SE failover stack are:-

1. Two Mettle SE devices, name them as, say, Master and Slave
2. Three IP addresses in local Network for using in LAN side. (One is a floating IP
address)
3. Three IP addresses in WAN Network for using in WAN side.(One is a floating IP address)
4. Two IP addresses from a /28 subnet to synchronise two Mettle SEs. (Sync Network)
5. One dedicated interface in each Mettle SEs for Synchronising (Sync)

The following steps will walk you through the configuration of CARP.

A) Create a SYNC Interface (In both Mettle SE devices):

1. Go to Interfaces --> Assign --> click on + Button. Assign a free interface and rename
it SYNC
2. Connect SYNC interfaces of each Mettle SE's together with a crossover Ethernet cable
3. Give SYNC interfaces two unique IP addresses from the /28 subnet not used anywhere
else.
4. Create a firewall rule in both Mettle SE devices to allow all traffic between SYNC
interfaces.

B) Configure Virtual IPs (In Master Mettle SE):

1. Go to Firewall --> Virtual IPs
2. Click '+' to add a new Virtual IP address
3. Type - select CARP
4. Interface - select WAN
5. IP Address(es) - enter floating IP address reserved for WAN with the correct CIDR
value
6. Virtual IP Password - enter a password
7. VHID Group - enter VHID group number set as 1, or 2 if this is the second CARP
VirtualIP.
8. Advertising Frequency - should be set to 0
9. Description - enter a description for this set of configuration.
10. Click on 'Save'
11. Repeat this same procedure for LAN also, incrementing 'VHID Group'
12. Apply Settings.

C) CARP configuration in Master Mettle SE:
1. Go to Firewall --> Virtual IPs --> CARP Settings
2. Check 'Synchronise Enabled'
3. Use SYNC as 'Synchronise Interface'
4. Check 'Synchronise Rules'
5. Check 'Synchronise Firewall Schedules'
6. Check 'Synchronise Aliases'
7. Check 'Synchronise NAT'
8. Check 'Synchronise IPsec'
9. Check 'Synchronise Wake on LAN'
10. Check 'Synchronise Static Routes'
11. Check 'Synchronise Load Balancer'
12. Check 'Synchronise Virtual IPs'
13. Check 'Synchronise Traffic Shaper'
14. Check 'Synchronise DNS Forwarder'
15. Synchronise to IP - Enter the IP address of the SYNC interface of slave Mettle SE
16. Enter the webGUI password of Slave Mettle SE in 'Remote System Password'
17. Click on 'Save'

D) CARP configuration in Slave Mettle SE:
1. Go to Firewall --> Virtual IPs --> CARP Settings
2. Check 'Synchronise Enabled'
3. Synchronise Interface - Select the SYNC interface created earlier.
4. Save.

E) Verify Settings:
1. Take Status -> CARP
2. Master should show both Virtual IP address as MASTER
3. Slave should show both Virtual IP address as BACKUP

F) Additional Settings:

NAT
1. NAT should use CARP VIP as outgoing IP instead of WAN IP
2. Edit NAT rule and change "Translation" to CARP address

DHCP

Master
1. DHCP should send LAN-CARP address as DNS and GATEWAY addresses.
2. "Failover peer IP" should be the real IP address of slave.

Slave
1. DHCP should send LAN-CARP address as DNS and GATEWAY addresses.
2. "Failover peer IP" should be the real IP address of master.

KB article:
http://kb.mettle.in/entry/18/


* Tip Of The Month: Changing Default Web GUI Administration Port *

In Mettle SE the default protocol the webGUI uses is HTTPS and the default port number is
443. When you use port forwarding using the same WAN IP as your Mettle SE's it will be
necessary for you to change the default webGUI port number from 443 to some other random
number. It's easy to change the default port number of webGUI, just follow the steps
below.

1) Go to System --> General
2) On the page, scroll down to "webGUI Protocol" - The default protocol selected will be
HTTPS. You can make it HTTP but for security reasons leave it as HTTPS.
3) Next item would be webGUI port - If using the default webGUI port 443 this would be
blank. To change the port enter a random port number of your choice.
4) Scroll down and click on Save.

When you try to access the webGUI after this over a WAN link or from LAN you will have to
append the port number after the link address. For example https://192.168.1.1:2222 if the
port number you gave was 2222. It is recommended to use a port number above 1024. Also
avoid well known ports.

KB article: http://kb.mettle.in/entry/42/


* Case Study: Mettle SE at the Indian Subsidiary of US based Asset Management Company *

Vertical: Financial Service
Geography: Trivandrum, India

Our client is the Indian subsidiary of a US-based asset management company, they have two
campuses in Trivandrum located couple of kilo metres apart.

Founded in 1999, the company began with an idea that would revolutionise the services that
financial advisers provide to their clients. Today their capabilities are unparalleled,
merging the expertise of top investment managers, a broad range of fee-based investment
products and an array of enhanced financial technology. Over the years, we have grown into
one of the largest providers of wealth management solutions to independent financial
advisers in the industry, with more than 400 employees in their Chicago headquarters and
offices spread across US and Trivandrum, India.

Both their Trivandrum offices have separate WAN links, Campus A has 2 WAN links and Campus
B has 1 WAN link. Both these campuses are connected together by three redundant fiber
optic links. Both sites needed securing the local network, they needed to provide
authenticated Internet access to employees, and Internet content has to be monitored. At
Campus A the two ISP links has to be aggregated and loadbalanced for better throughput.
Campus B has only one WAN link, so if the WAN link goes down an alternate method has to be
devised to keep the Internet connectivity alive.

Mettle SE was chosen by our client as the 'Silver Bullet' to solve all these challenges.
Mettle SE provides the following set of solutions. At Campus A, two Mettle SE devices are
deployed in active failover mode for very high availability, at Campus B a single Mettle
SE 2400 is deployed. Solutions are categorised into:

* Multiple ISP bandwidth aggregation
* Failover loadbalancing with routing
* Firewall
* Gateway antivirus
* Content scanning
* Authenticated Internet access and Active Directory Integration

1) Multiple ISP bandwidth aggregation

Two ISPs provide Internet connectivity to the company. Campus A has two Internet links
from two ISPs and campus B has only one ISP link. At campus A Mettle SE handles the
bandwidth aggregation and load balancing of the WAN links. Campus A has 2+2 Mbps of
aggregated bandwidth and Campus B has 2Mbps bandwidth. Approximately 200 users across the
two campuses share the 6mbps of total bandwidth across each campus.

2) Failover Loadbalancing with routing

At campus A the two ISP links are terminated at Mettle SE, both ISPs provide 2Mbps each.
The links are aggregated and loadbalanced to provide 4Mbps throughput to the users. If one
WAN link fails Internet traffic would be diverted over the active WAN link automatically.

Campus B is serviced by a single 2Mbps WAN link. Even with a single ISP an active failover
is implemented at campus B in a innovative way. When Mettle SE at campus B detects that
the WAN link is down, it automatically routes Internet traffic to the fiber optic link to
Mettle SE stationed at Campus A. Campus A Mettle SE routes all the Internet traffic from
Campus B through it's loadbalanced WAN links! Thus users in campus B continue to have
Internet access.

3) Mettle Secure: Firewall, Gateway Antivirus and Content Scanning

One of the prime reasons why the client chose our product was to secure their network. For
total security of the local network from the Internet Mettle SE provides impeccable level
of security to the host computers in the local network with the help of three security
services - Firewall, gateway Antivirus and Content Scanning.

At both campuses Mettle SE firewall secures the LAN by blocking unauthorised networks and
host machines from accessing the local network. Host computers in the local network are
also denied access to the Internet directly and they are made to use the proxy service.

The Gateway Antivirus engine within Mettle SE always keep the virus signatures updated.
The company's local networks are secured from worms, viruses and malicious codes
originating from the Internet. Updated virus definitions give no chance for a virus or
worm to sneak past Mettle SE and harm the host computers in the local network. A huge risk
of virus infections of the computers in LAN is thus solved by Mettle SE.

Routing all web traffic from the host machines to the Internet via a proxy service has its
advantages. An organisation would like their employees to use the Internet according to
the acceptable usage policy (AUP). Mettle SE helps the system administrator to enforce the
AUP with Mettle SE's Proxy and Content scanning engines. The Internet usage policy is
enforced at the point of presence of the WAN links, which ensures that unwanted content is
not passed on to the LAN. Content scanning along with authenticated Internet access, which
is explained in the next section, together is a powerful tool to keep a watch over the
Internet usage and to make sure AUP is adhered to by the users.

4) Authenticated Internet Access and Active Directory Integration

Authenticated Internet is a service provided by Mettle SE with the help of Active
Directory which ensures Internet access is given only to authorised users. Mettle SE at
each campus will contact Windows 2003 Domain controllers at each campus. When a user tries
to access a website, a window will pop up asking him to log in to proceed. Once the user
enter the credentials the information is passed to domain controllers and get it verified
by Mettle SE and access is granted in case if the user is authenticated by the Domain
Controller.

A group policy is implemented in Active Directory to force the Mettle SE IP address as the
proxy server to all desktop machines. Each desktop receives the proxy information via
TACACAS from Active Directory, and asks for the user credentials and sends the requests to
Mettle SE proxy server. Default gateway of all desktops is also set as Mettle SE, where it
controls the traffic to the Internet based on the policy.

Our client is completely satisfied with the Mettle SE based solution provided. We are
proud to quote the comment of Mr Jayagopan on Mettle SE.

"You don't need to add n number of modules, you don't need to buy and configure n number
of devices. You don't need to make your network more complex with cables and boxes. You
just get this , configure whatever you want in easy steps, you have everything you need in
the box right in front of you!"

Jayagopan Gopinathan
Technical Lead of Systems
Envestnet Asset Management India Pvt. Ltd.



--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.