Companies like Australian online betting firm Sportsbet.com.au need network security hardware and software that can scale fast. After all, Sportsbet handles peaks of hundreds of thousands of unique online customers daily. To secure that volume of traffic, Sportsbet uses carrier-grade network security hardware from Crossbeam Systems that hosts a range of third-party security software. Crossbeam’s X-Series chassis are modular devices that allow customers to scale capacity by adding blades: Control Process Modules (CPM) for overall chassis system management; Network Processor Modules (NPMs) for switching and load balancing; and Application Processor Modules (APMs) for the processing power that runs the security applications. SearchNetworking.com asked Sportsbet’s IT security manager Gonzalo Ernst to talk about his Crossbeam deployment.
SearchNetworking: Could you describe the network that you are securing with Crossbeam’s network security hardware?
Gonzalo Ernst: We currently use Crossbeam to secure our web infrastructure in our main data center based in Darwin and our DR [disaster recovery] site. We have over 100 switches and other network devices, such as load balancers and WAN Accelerators. Sportsbet is a growing company of more than 350 staff. We are one of the largest online bookies in Australia, and during peak days we can expect the number of unique customers to be in the hundreds of thousands.
SN: What sorts of traffic patterns do you deal with? Do you deal with peak loads that test limits of your network security hardware?
GE: Wednesdays and Saturdays are generally the busiest days due to horse racing events, but by far our busiest peak day is Melbourne Cup day (the first Tuesday of November). During Melbourne Cup day we see 10 times more traffic load than the busiest Saturday of the year and twice as busy as the second busiest day of the year, Caufield Cup day. During the Spring Carnival period we experience several high traffic days, but Melbourne Cup is the day we plan for all year. Our environment is built to cope with traffic loads around this one day of the year, while for most of the year outside of Spring Carnival we would generally run at 5-10% capacity. What is amazing to watch is that the highest peak of the year occurs just before the Melbourne Cup race itself, but when the race is running we experience the least amount of traffic, less than we would see on a Sunday night. However, soon after the race is over the traffic load jumps straight back up to yearly peaks as people check the results. Melbourne Cup is truly “the race that stops a nation.”
SN: What specific Crossbeam network security hardware products have you installed in your network? Please describe the configuration. How many blades are you running in each chassis?
GE: We started our relationship with Crossbeam C12 appliances back in 2007. Due to the growth of our business we found the X-Series to be a perfect fit for our increasing traffic requirements. We can easily increase the number of firewall blades as required and can run extra blades for Spring Carnival period when required. We have full redundancy in the production chassis with 4 power supplies, 2 CPM blades, 2 NPM blades and a minimum of 2 APM blades per firewall. We run a multi-tier firewall architecture. We have a fully redundant X80 appliance in production, a spare X80 chassis with spare blades in Darwin. Due to the remote location of Darwin, we have decided to self-spare in the case of any component failure. For us business availability is critical. In DR we have an X45 blade chassis with a similar configuration.
SN: What third-party software do you run on your Crossbeam network security hardware?
GE: We primarily run Check Point products but have since added Imperva WAF [Web Application Firewall]. Imperva was introduced to add an additional level of protection against DDoS attacks and for its unique database firewall and monitoring capabilities.
SN: What drove your decision to invest in Crossbeam network security hardware hardware rather than relying on commodity servers or vendor appliances? Was network security a bottleneck for you? Were standalone appliances too complex?
GE: The amount of traffic we experience during the busy periods requires a high performance and scalable infrastructure. We need a Firewall than can handle 1 Gbps traffic with more than 500,000 active connections as well as allow us to cope with traffic growth in the future. In addition, we need an environment that can handle DDoS attacks should they occur. Standalone appliances are fine and we use them in our corporate office. While standalone appliance performance is continually improving, they do not allow as much flexibility for growth. We can’t simply add an extra APM module to handle more traffic load and the redundancy is not always as quick to failover as in the X-Series Chassis. What is great about the Crossbeam X-Series as well is that moving application blades or failing over network ports is instant with no traffic drop. I can perform certain blade maintenance and upgrades with no downtime.
SN: How has your network security operation changed since you started using Crossbeam network security hardware?
GE: Had we not have moved to the X-series blades, we would not have coped with Melbourne Cup level of traffic of the last two years. But what has impressed me most with Crossbeam is how well their products work. Once configured, everything works as expected with no surprises. We have not had any unexpected outages or service impacting bugs as yet, and where we had to move or relocate certain components like taking down an application blade, we were able to do so with no downtime. Every upgrade performed has been smooth and gone through without any problems. This has not been my experience in the past with competitive high speed firewalls. Nortel Alteon Switched Firewalls come to mind where upgrades would sometimes need to be applied two or three times before it worked and some level of luck was involved in each upgrade. With Crossbeam I have confidence that upgrades and changes always work as expected.
SN: What kinds of lessons have you learned since you installed Crossbeam? Have there been any surprises?
GE: The blade architecture requires some thinking, but once the concept is understood it makes perfect sense. I was surprised by the speed of failover and how well the active/active state synchronization works, not resulting in traffic disruptions when moving blades or doing maintenance.
SN: Do you anticipate that your network security requirements will outgrow your current Crossbeam installation? How have you planned for that?
GE: We still have plenty of room for growth and we expect that the current chassis will last another two to three years. However, we may purchase additional application blades and maybe even 10GbE network blades to cope with increase in traffic. Beyond this it is hard to say; it depends on traffic loads, but we also have the option to scale horizontally and add another chassis.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director