Our next application of Layer 7 server load balancing is somewhat subtler than those we saw previously. Some protocols are more complex than a single TCP connection from the client to the server and require multiple interoperating, bidirectional TCP connections to operate correctly. One good example of such an Application layer protocol is FTP. In Chapter 3, Understanding Application Layer Protocols , we saw the fundamentals of how FTP operates in its two modesActive mode and Passive modeso now let's apply what we already know and see how the protocol scales in a content-switched environment. The issues of implementing FTP into content-switched architectures can be loosely summed up by two main points. First, as there are two separate TCP connections operating in conjunction, the details and control of these separate sessions must be combined within the content switch to ensure that mechanisms such as address translation and server selection are common between the two. Second, FTP is an example of an Application layer protocol that embeds IP address details within the Layer 7 application data payload between client and server. For any Layer 7 aware device performing NAT between the two end points in an FTP conversation, the challenges are common, so the issues that we'll see in the next few pages for content switching also hold true for other NAT devices such as stateful inspection firewalls. Let's look at both modes of FTP operation in turn Active mode and Passive mode. Load Balancing FTP in Active ModeIn Active FTP, the client opens an FTP Control connection to the server to carry control commands, and the server opens an FTP Data connection to the client to carry the actual data being transferred, which might be anything from a directory listing to a large file. To initiate this return connection from the server, the client issues a PORT command across the established FTP Control connection showing the server the IP address and TCP to which it should connect for the FTP Data connection. Once this command has been issued, the server will establish the FTP Data connection using the details provided by the client and begin the data transfer. In Active mode operation, the responsibilities of the content switch are as follows :
It's really this last point that is important in making the solution work. Imagine a scenario where the content switch is front-ending multiple VIPs for many different FTP services. The content switch must be able to parse the PORT commands from various clients attaching to all of these services and correctly translate the source IP addresses of the FTP Data connection to ensure that the clients see this coming from the same source they are attached to for FTP Control. Failure to do this would result in an application failure for most FTP clients . Figure 6-14 shows the process in more detail. Figure 6-14. The traffic flow, parsing and address translation for an Active FTP session through a content switch.
Let's look at the four stages of the example in more detail:
Load Balancing FTP in Passive ModePassive mode FTP works differently from Active mode. In Passive mode, the FTP Data connection is established from the client to the server, meaning that both channels in the FTP session are established in the same direction. The reason that Passive mode FTP is popular within secure environments is because of the way the PORT command in Active mode opens a number of attacks commonly known as "FTP Bounce attacks." These Bounce attacks have several variations and can be used to perform subsequent intrusions such as portscans and even the bypassing of filtering or stateful firewalls. These attacks are based around the fact that an FTP client operating in Active mode can send a PORT command with a different IP address (and TCP ports) to that that initiated the FTP Control connection. Imagine if the client issued a PORT command with an IP address of a machine that is on the same subnet as the FTP server, and consequently on the inside of a firewall. This would give the attacker the ability to open a TCP connection to any IP address and TCP port by simply placing that information inside the PORT command. Other, more elaborate attacks can be formulated based on these principles, which are outside the scope of this book. It is for this reason that Passive mode FTP is popular in Internet facing environments where security requirements are typically higher than in simple internal networks. For Passive mode FTP within a content switched environment, the content switch must perform the following functions:
Let's look at the five stages of this Passive FTP example in more detail:
In summary, FTP load balancing is a good example of an Application layer protocol that typically does not need explicit configuration in the sense of URLs and so forth like many HTTP configurations, but requires some subtle Layer 7 information manipulation within the content switch to address the problems of a multiconnection application. We'll see another example of a multiconnection protocol that requires similar manipulation later in this chapter. |