Astrocom - Prevent Internet Downtime with Internet Traffic Management, VPN Failover and Multihomed Networks FAQ

What's the difference between PowerLink™ and FatPipe?

What is redundant Internet access?
Using more than one ISP or WAN link to ensure that if one link fails, a separate working link is available to send and receive Internet traffic. Many businesses use three or more redundant Internet links to ensure that important Internet-based business applications aren't shut down by a 'single point of failure'. Using redundant Internet links including DSL backup requires the ability to switch traffic among multiple Internet links connections through a technique called multihoming.

What is multihoming?
Having multiple connections to the Internet via multiple providers to provide a reliable and high throughput service. Multihomed networks are increasingly popular because they provide networks with better reliability and performance to the end-user. Better reliability results from the fact that the network is protected in case one of the Internet links or access routers fails. If a connection with one ISP is lost or degraded, companies can automatically redirect traffic to links that are still functioning. When more bandwidth is required, companies just add more links. There are up to five ways to multihome, but the two most common are:

Using multiple links with a single IP address. This requires the use of multiple routers and a protocol called the Border Gateway Protocol (BGP). With this type of multihoming, the end-site announces this address space to its upstream links. When one of the links fails, the protocol notices this on both sides and traffic is no longer sent over the failing link. For reasons due to the complexity of the technique, It can take as long as 30 minutes to redirect traffic to a functioning link. Usually this method is used to multihome a singe site and not for single hosts.
Using multiple links, multiple IP addresses. This method uses a specialized Link Load Balancer appliance (like PowerLinK™) between the firewall and the link routers. No special configuration is required in the ISP's routers. Using a load balancer appliance (also referred to as a "network load balancer" or "Internet load balancer") allows businesses to use all the links at the same time to increase the total available bandwidth (bandwidth aggregation) and detects link saturation and failures in real time to redirect traffic. Algorithms allow traffic management. Incoming balancing is usually performed with real time DNS (Domain Name System) resolution.

How does PowerLink™ multihome without BGP?
ISPS and large enterprises have multihomed for years using BPG to connect to multiple Internet backbones. But BGP has many restrictions. For one, it requires that ISPs cooperate with each other and set up "peering" agreements between routers, but because of the performance impact to their networks, many are not willing to do so. BGP also require expensive routers, designated address blocks and an Address Space Number( ASN), which are sometimes not available to small businesses. And BPG requires that gateway hosts exchange dynamic routing tables, which must be constantly synchronized and which can lead delays of up to 30 minutes in changing the direction traffic is sent.

Load balancing and failover appliances like PowerLink multihome by using Network Address Translation (NAT) to unify traffic coming from and going to different destination IP addresses on the Internet. The Pro100 will be configured with at least one routable IP address for each router/WAN link that it is connected to the network.

The biggest benefit of PowerLink multihoming resides in the Pro100's ability to achieve outgoing and incoming load balancing and failover without defining BGP routing tables or utilizing any of the underlying complicated routing techniques. This ability to offer this functionality without the expensive or complicated networks/ equipment necessary to achieve BGP is what makes the Pro100 such an exceptional value, especially for small and medium sized organizations.

For more information, see our white paper on multihoming without BBP

What types of businesses need more than one ISP?
Typically any business, regardless of size, that has important internal and customer applications on the Internet should be protected with VPN failover. Internal applications could be hosted ERP and other enterprise applications that employees depend on to do their work and who would be idled by an ISP failure. VPN and VoIP are other applications that would fail if a sole ISP carrier failed. Customer applications can include customer service applications, order entry applications are others that have become integral to daily business operations.

What is the impact of ISP outages on small and medium-sized enterprises?
The average annual outage for T1 connections in North America are in excess of 8 hours. DSL, Cable and Wireless connections are significantly higher. During these outages organizations will suffer from lost business, lost revenue, lost employee productivity and lost credibility with customers, partners and employees. Typically these losses cumulatively are in the thousands of dollars per hour, making cable and DSL backup critical.

What are bandwidth guarantees, and what types of applications need them?
Bandwidth guarantees (also known as Quality of Service [QOS] rules or traffic shaping rules) are techniques to provide a minimum amount of bandwidth to certain types of applications or Internet traffic to guarantee high availability. Less bandwidth may thus be available to less critical traffic, such as email or employee web browsing.(Indeed these applications can be assigned low bandwidth to discourage use.) WAN load balancing and failover appliances can be configured to aggregate and "traffic manage" Internet applications so that high priority applications are always guaranteed the bandwidth they need.

Types of applications that may require minimum bandwidth applications include VPN, VoIP, order entry and credit card processing applications and others whose disruption can have heavy operational or financial impacts.

For more information on bandwidth aggregation and VPN failover, see our white paper on Bandwidth Management-QoS

What's the difference between Internet load-balancing/failover appliances and dual WAN routers?
Dual WAN routers use simple policy to 'route outbound-only traffic' over one of two lines. There is no intelligence in the technique and no method to avoid or minimize congestion. In fact, the rigid nature of the technique frequently adds to congestion problems. Again, dual WAN routers do nothing in terms of load balancing and failover for inbound traffic. PowerLink Internet load balancer appliances are hardened devices that sit between firewalls and LANs and use a simplified and more up-to-date architecture based on Network Address Translation (NAT) and Dynamic Domain Names Service (DNS). They are designed for small and medium enterprises who can't afford the expense and overhead of multiple Cisco (or other) routers, and the heavy demands placed on them by ISPs for using BGP.

For more information, see our PowerLink Pro100 Technical Brief

What are T1 and T3 lines?
"T" lines are high capacity Internet connections leased from ISPs and other service providers to businesses who need high capacity, high availability Internet connections. However, scalability and excess capacity are issues with T line users, since a business may need more capacity than a single T line provides but much less than two lines provide. When such businesses need more bandwidth, an ISP may require them to lease a second line, leading to wasteful spending on unneeded capacity. Bandwidth aggregation provides a far more cost-effective solution. The average downtime in North America for T1 circuits is eight hours a year.

What are low-cost lines?
These are lines typically used between home consumers or small businesses and ISPs, including xDSL, wireless, fractional T, 1cable and ISDN. These lines are considerably less expensive than T1 and T3 lines, but lack the capacity and reliability of expensive leased lines. Internet load balancing and failover appliances, however, allow businesses to use any high cost or low cost links, so incrementally adding capacity is relatively easy and inexpensive. A business that needs more capacity than a single T1 line, but less than a T3 provides, can add xDSL or cable lines to meet its need and be assured that the appliance will aggregate traffic from all links to provide on high capacity line and automatically direct it where needed.

What is intelligent traffic management/load balancing?
Intelligent management is the process of measuring and controlling the communications (traffic, packets) on LANs and WANs to avoid filling links to capacity or overfilling, which would result in network congestion and poor performance. Load balancing using a network load balancer appliance redirects traffic from links that are congested or down to functioning links with the required capacity.

For more information, see WAN Traffic Management with PowerLink Pro

What is bandwidth aggregation, and how does PowerLink™ handle it?
This aggregates multiple Internet access lines to achieve a virtual single high bandwidth line to the LAN. This avoids the high expense and single point of failure of having to jump to the next higher available single line access technology. For example, if you have a T1 line now and need additional bandwidth you would typically have to migrate to a T3 line. This would take you from your current 1.5 Mbps to 45 Mbps. This is probably significantly more bandwidth than required and is a dramatic increase in cost. With the PowerLink Pro ™, this same scenario can be accomplished with two 768 kbps DSL lines that can be combined for a total aggregated bandwidth equivalent to a T1 at a fraction of the cost. With the Pro100 you could simply add additional lower speed lines, i.e. xDSL, cable or wireless etc., having a relatively small increase in cost and more closely matching your needs. In addition to getting more cost-effective bandwidth, you are also dramatically increasing the reliability of your connection due to the new levels of redundancy in your aggregated Internet connection. The Pro100 is independent of the WAN technologies and is fully compatible with xDSL, cable, wireless, T1/E1, T3/E3, satellite, fiber channel, Frame Relay, etc. (You can mix and match). The total bandwidth aggregation capacity of the Pro100 allows for up to 150 Mbps (full duplex) and will accept up to 32 different WAN connections. Further, the Pro100 has the ability to host over 500 domain names with up to 128 hosts per domain name.

With PowerLink, outgoing bandwidth aggregation is offered at the TCP/UDP session layer. The user defines weights for the WAN links based on the bandwidth of the link. When a session is generated from the LAN the Pro100 computes which link has the most available bandwidth and routes traffic from that session over that particular WAN link. The Pro100 allows selection of 2 load balancing algorithms: (1) symmetrical round robin or (2) intelligent (weighted) load balancing. The symmetrical round robin will route sessions to all links in a round robin manner. The intelligent load balancing will compute a ratio between the weight (bandwidth capacity) of the different lines and route sessions accordingly. That is, the faster the link the more sessions that will be sent over that link to make the most efficient use of all the bandwidth available. Incoming bandwidth aggregation is accomplished by the Pro100 being the authoritative DNS server for the domain. The Pro100 advertises all available WAN lines to the cache servers which in turn resolve the domain names to queries in a round robin format. In this manner, all externally initiated sessions are load balanced over all available links. Since the Pro100 is resident at the domain site and is able to directly monitor the link status, failed links are removed from the DNS tables immediately on failure. By setting the host name record Time to Live (TTL) to a short period, the caching servers will flush their address tables and will update them from the Pro100 regularly and thus be informed when a link fails.

For more information, see WAN Traffic Management with PowerLink Pro

What is failover?
When one WAN link (Internet connection) fails, traffic is redirected from that link to a functioning link. In most cases, PowerLink does this instantly and Internet users notice no impact or delays.

For more information, see our white paper on Site Redundancy and Failover Strategies

Why is both inbound and outbound (bi-directional) load balancing and failover important?
Inbound load balancing prevents congestion and slow downs from affecting your incoming customers and partners when using your LAN hosted services. Inbound failover allows for these groups to always be able to connect with their services (web services, mail, ftp, ERP, etc.) regardless of fluctuations or outages being experienced by your ISP. Outbound load balancing and failover allows for those employees/users on your LAN to always be able to reach Internet hosted resources with the maximum amount of bandwidth and capacity.

What is QoS?
Quality of Service or QoS, in the most simplistic terms, is prioritizing network traffic to satisfy user application requirements. QoS is the ability to provide consistent, predictable Data, Voice, and Video service delivery.

PowerLink™ users can setup QoS rules which determine bandwidth minimums and maximums for specific applications based on protocol type, source port used, destination port used, and source IPs used and / or any combination of these. The PowerLink QoS feature set can allow you to get very granular and can be customized to achieve most traffic shaping goals. In turn, guaranteeing bandwidth to those applications whose smooth operation is critical to the success of the enterprise, regardless of traffic congestion on the network.

For more information, see our white paper on PowerLink Bandwidth Management-QoS

What is stateful traffic failover?
The ability of traffic to automatically move from one WAN /ISP connection to another without any loss of service.

What is point-to-point channel bonding?
Virtual bonding of the bandwidth of multiple WAN links from disparate ISPs via load balance between two IP points. This bonding allows for all traffic destined between these two points to use all the bandwidth available in the bonded channel (high capacity) and to perform stateful traffic failover.

What are DoS and DDoS protection?
A denial-of-service attack (DoS attack) is an attempt to to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers. PowerLink implements sophisticated anti-DoS and DDoS mechanisms for DDoS protection. These feature allows for the prevention and blocking of a wide variety of denial of services attacks including basic and distributed attacks. Other features include support for anti flood ping, ping of death and spoofing.

How does DNS work?
On the Internet, the Domain Name System (DNS) stores and associates many types of information with domain names; most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers accepting e-mail for each domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use.

For more information, see our white paper on how DNS works

What is VoIP Failover?
Since VoIP traffic is encapsulated in a VPN tunnel, VoIP failover is accomplished by VPN tunnel failover. Should the WAN link carrying the tunnel fail, PowerLink Pro will remove the failed link and direct the firewall/VPN server to a healthy link so it can re-establish the tunnel (VPN failover). The mechanism used for tunnel failover is dependent on the firewall/VPN server used. For example, Sonic Wall and Watchguard use DNS hostnames for tunnel identification while Cisco uses an IP peering technique.

How does SonicWall work with PowerLink™?
The PowerLink Pro 100 is a hardened network appliance designed as a total upstream-downstream WAN IP traffic aggregation and TCP/IP fail-over solution. The SonicWall Pro 3060 is a firewall Unified Threat Management (UTM) device that filters content coming into your network and protects it against viruses and spam attacks. The PowerLink was designed specifically to work in concert with this type of a device and adds to the security and robust traffic management solution that many small and medium size companies need.

For more information, see our white paper on SonicWall for VPN Failover

How does Cisco PIX with VPN failover work with PowerLink™?
VPNs have traditionally not been built to provide fault tolerance if a VPN link or gateway fails. To counter this, PowerLink has been designed to support multiple Internet connections and multihome them to a single LAN in order to achieve high availability and to ensure access to a specific network. Cisco also supports this concept by use of multiple peers in their VPN security policies within their PIX line of products. By utilizing both these technologies together, network designers can now create VPN networks with automatic ISP/VPN tunnel failover capabilities simply and more affordably than ever. Thus, adding significantly to their network's levels of security and reliability for VPN traffic (VPN failover). In contrast, a more complicated and costly design would be to purchase and activate devices with BGP (Border Gateway Protocol) support.

For more information, see our white paper on Cisco PIX for VPN Failover.

How does Watchguard for VPN failover work with PowerLink™?
In order to maintain high availability and to ensure access to a specific network, Watchguard has implemented support for assigning DNS (Domain Name Service) names in a VPN security policy.

Incorporating the PowerLink as the DNS Authoritative Server, you can achieve automatic fail-over of the VPN tunnel on failure of a WAN link. Since the PowerLink resides at the customer site, it immediately detects a WAN link or ISP failure and is able to remove that IP address from the Domain and advertise only the operational links. This results in the VPN server re-establishing the tunnel over the second link.

By utilizing the combination of the PowerLink and Domain Names in the Watchguard, network designers can now create VPN networks with fail-over (ISP fail-over) capabilities. A more complicated and costly design technique would be to purchase and activate devices with BGP (Border Gateway Protocol) support. Other design techniques calls for more expensive switching technologies and Load Balancing devices that are normally cost prohibitive for most companies.

For more information, see our white paper on Watchguard for VPN Failover.

What's the difference between PowerLink™ and Radware?
The PowerLink Pro-100 is a hardened network appliance designed as a total upstream-downstream WAN IP traffic aggregation and TCP/IP failover solution. It is a very flexible and robust solution for small and medium-sized companies. Radware's LinkProof f LT is WAN traffic management device with less capable load balancing and failover features and a price tag that can be two to four times as high. The PowerLink outperforms LinkProof LT in several key areas.

The Pro100 offers over 100 Mbps of combined bandwidth aggregation versus eight Mbps for the LinkProof LT.
The Pro100 supports all types of Ethernet WAN technologies. The LinkProof LT supports only T1, DSL and cable connections.

For more information, see this product comparison.

What's the difference between PowerLink™ and FatPipe?
The PowerLink Pro100 is a hardened network appliance designed as a total upstream-downstream WAN IP traffic aggregation and TCP/IP failover solution. It is a very flexible and robust solution for small and medium-sized companies. The FatPipe Warp is a PC platform-based redundancy and traffic aggregation device more focused on the enterprise arena. In terms of multi-homing traffic aggregation, load balancing and failover, the PowerLink Pro100 outperforms the FatPipe Warp in several key areas (see the chart for a full comparison):

The FatPipe Warp supports up to 3 outside WAN channels (limited to more expensive connections) while the PowerLink Pro100 supports up to 15 connections of any type.
The PowerLink Pro100 provides an elegant VPN failover and redundancy solution. The FatPipe Warp doesn't.
PowerLink prices range from $1,300 to $4,000. FatPipe prices begin at $4,000 and run well over $20,000.

For more information, see this product comparison.