Cyber resilience, also known as operational resilience, refers to the ability of your network to recover rapidly and continue operating even when disaster strikes. The disaster could be anything from an extended power outage
Your network firewall is a critical place to implement cyber resilience. You can do so with five strategies that help you stay up and running through what otherwise would result in an operational death knell, including a full compromise.
- Active-active clustering
Keeping your headquarter site and VPN connectivity available is critical for business continuity, and part of this high-availability strategy is the concept of active-active clustering. Active-active clustering means all your nodes are active, giving them the power to swiftly pick up the slack in the event of another node's failure. Using active-active clustering ensures flexible site protection, with equally flexible options of using multiple active nodes per cluster. Furthermore, it lets you upgrade and downgrade code and update software at any time without losing connectivity. This mode of operation allows you to optimize total throughput of your firewalls and frees you from having to rely on a single firewall in the event of a critical failure.
- Stateful failover
When traffic breaks or any disturbance hits your system, you'll also be hit withdissatisfied customers and the potential for increased churn. Stateful failover is a solution for avoiding both. This strategy records the sessions of a main device on a backup device that immediately kicks in if the main device goes down. Sessions remain uninterrupted, customers remain happy and unaware of any loss of connectivity and the possibility of churn gets kicked to the curb. Stateful failover is a must in the event of a node or link failover and can also serve you well during software upgrades where time and windows of time are critical.
- Multiple Internet links
If you rely on a single connection to the Internet, you're stuck with a single point of failure if the connection goes down. Incorporating the use of multiple Internet links in your firewall is less costly than leased lines or multiprotocol label switching (MPLS) and ensures Internet high availability if one or more network connections fail. The multiple links should span across multiple ISPs or locations, embrace load balancing over the links and support a mix of connectivity methods, including asymmetrical digital subscriber line, , mobile, MPLS and IP.
- Management system high availability
Your cyber resilience strategy needs to protect your ability to manage, which you can accomplish with management system high availability. A firewall that safeguards your management system is one that gives your administrators constant, non-delayed network control for configuration views and changes as well as better situational awareness for more agile incident response. Your network security elements remain accessible, manageable and, as a bonus, you don't lose any configuration data if your management server goes down. An additional benefit is the ability to not only protect your management system and secure access to it but also protect your log servers to ensure that network time protocol sync is consistent for incident investigation.
- Server load balancing
Balancing your server load means you'll never have to risk business discontinuity due to a high-load Web server that decides it just can’t handle its incoming requests--including those that could be made by machine or bot. By deploying a firewall featuring built-in load balancing, you'll automatically have the load distributed across two or more servers. This lets business-critical services remain available while operational and maintenance costs remain low as a result of eliminating the need for a separate third-party server load-balancing solution.
About the author:
Uy Huynh is worldwide senior director of field engineering for emerging technologies at McAfee Inc.
This was first published in January 2014