The primary use case of this solution is for the web application firewall. We have a Metaswitch system for our telephone service. We're front our SIP provisioning servers and our client communications portals with the WAF.
Loadbalancer.org together with Metaswitch in Enfield, England wrote a set of rules that are being managed on the Loadbalancer to prevent illegal entry, password hacking attempts, invalid SIP provisioning hacking attempts, or just general denial of service attacks into our cloud. It ensures that only what we expect to hit our systems is let through.
The solution has improved our organization by providing the security required to block break-in attempts easily and without overloading the WAF or getting to our servers.
The features I find valuable in this solution are the ease of managing the logs on the WAFs, the ease to identify break-in attempts into the network, writing rules to block them for files or config pull attempts, and the addition of HAProxy to control what is allowed and what is not.
The solution can be improved with the development of a SIP engine because it is difficult to manage SBCs. All SBCs are really tough to write rules for. If we could put this in front of an SBC to have the right rules to possibly block the traffic, that would be very helpful.
The solution can also improve the relationship between Loadbalancer.org and Metaswitch, or now, Microsoft because Metaswitch was purchased by Microsoft. They both position themselves as certified but don't always talk to each other. I wish there would be closer integration between the solution and the vendors when either release new upgrades to their product line. Often we find issues on either end post upgrades.
I have been using the solution for three years.
The solution is stable. We have not had an issue with stability in over three years. Since it is an n+1 solution fail overs are seamless.
The tech support is good. For the most part, they are able to respond to my issues immediately. In some cases, you may get the runaround because in addition to having their primary support based in England they also have an office in Canada and Asia. You can run into an issue when one engineer passes the case over to another engineer after their shift and they don't know what the first engineer worked on up to that point. It is nice to know that someone is available, but they are not always the right engineer.
Prior to the solution, the only thing we had was a Juniper SRX240 firewall which is basically just a dumb device for NATing, either that lets you through or it doesn't. A lot of the traffic made it through to our backend, causing server crashes and attacks on the data center.
The initial setup was one of the easiest appliances I've ever installed in the network. It took two weeks to get the solution completely up and running and configured. The solution has monitor mode where you install it, you put it in route, but you don't turn it on, just let it run and watch the logs. You can write your rules based on what those logs are, and then slowly start turning it on for certain events.
The implementation was done in-house with the assistance of the solution's support over the phone.
The solution has allowed our business to almost double year over year in the voice-over IP area because it greatly helps with our customer retention. It blocks what should not make it to our back end servers and allowing only the needed customer traffic. It provides great security rules for hacking attempts.
The solution requires an annual support license that includes software upgrades and support. Compared to other devices in our network, the solution is quite affordable.
We looked at several other firewalls with supposed WAF functionality in them, but they all wanted you to write your own Microsoft/Metaswitch rules.
I give the solution a ten out of ten.
Our organization purchased the enterprise R20 set up and we are currently using version 8.4.3. of the solution.
We have two telephone switches, one in New York and one in LA, the Loadbalancer.org devices in the Enterprise R2 solution are on Dell N240s in our data centers.
The other feature that I like about the solution is the graphing for network bandwidth and system load averages that are right on your front screen. You can see when somebody's attacking you. Throw that picture up on a screen in your NOC, and then you can see how your domains are doing. When there's a sudden spike from normal traffic, say five megabytes, and now all of a sudden it hits 50 megabytes, you know there's something going on. Look at the WAF logs.
Regarding stability, the box has been up for three years. They are deployed in an N+1. We had a router crash, on the underlying router of the network. We had an instance where the default router crashed and it was brought back up and the Loadbalancer itself did a switchover to the other device and became active. It was stable for over a year after that. Overall the solution is very stable, with no crash problems.
We're not running a huge load through it. For example, our system load of the N240 box is probably less than 2%. It's not pushing a lot. The amount of traffic we are pulling through is maybe at peak times for SIP provisioning servers for phones, maybe 10 megabytes. We run roughly 20,000 phone lines and customer portals through the WAF. It's not a heavy load, but they've been very consistent, with no crashes, and good support. I find their support contracts in this industry reasonable.
When you purchase this solution you get the extra firewall, you get the HAProxy control, you get the WAF rules, and you get a Loadbalancer functionality if you ever need it.
The solution requires on average one person for one hour a day to maintain.
I recommend learning how to write your own rules to match your deployment after starting with the standard delivered set. Customization is easy! Know what is good on your system and what's bad on your own system when you see these Internet requests coming in. For an enterprise, you could use this device to lock down any unwanted entry to your network to make yourself truly private. If you know the IP addresses of your sites, you can tell this device, "Don't let anything else through." Have some dedicated personnel monitoring it at first for two to three weeks in order to get the rules correct, the way you want to improve, or control your network traffic. Then turn on the blocking. After that, do your daily monitoring for about an hour a day to see if anything needs to be modified.
