Category: Technical Guide

Download PDF

Computer networks come in many different shapes and sizes. From a small network with an all in one WIFI router and a couple of wireless devices to a network that spans multiple campuses with several layer 3 switches or routers, hundreds of VLANs and multiple WAN connections. Your network topology and requirements will largely be determined by campus size, performance requirements and budget.

Linewize has been designed with flexibility and ease of deployment in mind and can fit into any network environment. Linewize operates at all levels of the networking stack as a router, firewall and application aware content filter. It can be deployed as the edge device on a network to provide high performance routing and layer 2-4 filtering as well as application layer filtering and identity management, or simply as a transparent layer 2 bridge augmenting an existing network topology with filtering, visibility and identity management.

Most deployments of Linewize fit into three broad categories:

  • Layer 2 transparent bridge deployment
  • Layer 3 router
  • Layer 3 router with NAT

Each type of deployment utilizes the same virtual or physical appliance, software stack and cloud management.

Share this content:
    

Transparent Bridge Deployments

The simplest way to deploy Linewize is as a transparent bridge. Deploying the appliance as a transparent bridge means you can augment your existing network topology with Layer 7 filtering, visibility and user management without major changes to your logical network topology.

In a normal transparent bridge deployment, the Linewize appliance becomes an inline filter between your edge router and your switching and wireless infrastructures. This means that all internet traffic will pass through the appliance transparently. Routing and NAT decisions are not made by the Linewize appliance and traffic is allowed by default.

 

Transparent Bridge -Deployment TWP.png

 

Filtering capabilities in this type of deployment are similar to a traditional proxy server, without the negative impacts of a proxy server. Client devices do not need to be configured to pass traffic through the appliance. IP addressing and routing does not need to be modified and internet traffic does not need to be tunneled out through a cloud hosted proxy or filtering solution.

On a simple network, deploying Linewize in this way means simply placing it inline with a cabling change.

VLANs with a Transparent Bridge

In larger networks it is common to segment the layer 2 network into VLANs. This introduces the need for a layer 3 router which commonly is the edge firewall/router. Linewize supports this type of layout by providing full support for 802.1q VLANs even when deployed as a transparent bridge.

 

L2Bridge Vlans - Deployments TWP.png

 

Accommodating a trunk link between the core switch and the edge firewall/router is simply a matter of configuration.

 

LACP Bonding

Along with VLANs, larger networks often use LACP Link Aggregation to provide failover, redundancy and performance improvements through the use of multiple physical links between a core switch and the edge firewall/router.


LACP Bonds _ deployement TWP.png

 

Linewize has full support for 802.3ad LACP when deployed as a transparent bridge. As with VLANs accommodating this type of topology is just a configuration change.

 

Management IP Address

When deployed as a Layer 2 bridge, the Linewize appliance will still need an internet connection for configuration and management with the Linewize cloud. This can be achieved with two different methods.

 

  • Apply an IPv4 Address to the virtual bridge interface.
  • Create a separate management interface.

Layer 3 Router and Gateway

Along with being a Layer 7 firewall, Linewize is also a Layer 3 router. This enables Linewize to support being deployed as an internal router in your network, routing traffic between VLANs, subnets and to and from the internet.

Routing decisions are made based on static and dynamic configuration from the cloud management platform and all traffic passing through the Linewize appliance can be filtered at both layer 7 and further down the OSI stack.

Deploying the Linewize appliance as a router allows more granular access controls between different networks and facilitates subnet and VLAN based user identification that may otherwise be impossible in a transparent bridge deployment.

 

 

Router _ Deployment TWP.png

 

Linewize currently does not support dynamic routing protocols like RIPv2, BGP, OSPF. Routing that is not tied to WAN interfaces, must be statically configured in the Linewize Cloud Interface.

Layer 3 Router and NAT Gateway

The final common deployment topology is as an Edge device. Every internet connected network needs a NAT capable router and firewall to route traffic to and from the internet and protect the network from malicious attacks.

Deployed as an Edge router/gateway, Linewize sits behind your ISP’s CPE equipment and all internet traffic and commonly internal network traffic is routed through the appliance. As with the other deployments, VLANs and LACP bonding are fully supported in an Edge deployment.

 

Edge Firewall and Router -Deployments TWP.png

 

There are several core technologies that are generally used when Linewize is deployed as a gateway device.

 

Network Address Translation - NAT

NAT for WAN traffic goes hand in hand with WAN routing in Linewize. Source NAT decisions for outbound traffic are normally made automatically to facilitate easy configuration and management.

Aside from SNAT, Linewize also supports 1:1 NAT, DNAT (Port Forwarding) and Many:1 out of the box. Each NAT type is highly customizable and tied to the firewall automatically.

 

WAN Routing

Linewize provides very simple WAN routing when deployed as an Edge device. When managing network interfaces you can configure them as a WAN link. In an environment with multiple WAN links, a primary link must be configured and WAN routing decisions can be made based on simple rules or modes. Linewize supports policy based WAN routing through the use of uplink preference rules and an overarching mode of either Failover or Load Balancing.

In Failover mode, the primary link is used, in the event of failure WAN traffic is routed through the secondary links. Outbound firewall rules can then be used to reduce congestion on failover links by limiting network access. Failover mode is the default for appliances configured with more than one WAN uplink.

In Load Balancing mode, Linewize balances traffic between WAN links. This provides both redundancy and performance improvements for WAN traffic. For additional control WAN preference rules can provide administrators with control over the load balancing and this can be used for user group, application and port based routing.

Linewize dynamic WAN routing allows administrators to utilize multiple WAN interfaces for both performance and resiliency gains.

 

Virtual Private Networks - VPN

Deploying Linewize as an Edge device means administrators can take advantage of the Linewize VPN capabilities. Linewize supports both gateway to gateway VPN connections and road warrior connections through the use of IPsec technology.

Gateway to gateway VPNs provide a way of connecting remote sites. Linewize provides very simple gateway to gateway VPN configuration that can be used to connect several Linewize Edge appliances or a Linewize Edge appliance to another VPN provider.

Road warrior VPNs provide remote workers with a secure connection over the internet from any location. Linewize provides a simple L2TP/IPsec based VPN server out of the box.

 

Inbound and Outbound Firewall

An important part of an edge firewall/router is WAN filtering. WAN filtering in Linewize is split into two different types, Inbound filtering and Outbound filtering.

Linewize takes a different approach to inbound filtering that we call “Automatic inbound filtering”. Automatic inbound filtering offers a one click filtering model whereby we block traffic that we class as suspicious and/or traffic that does not match your inbound NAT rules, VPN rules and routing rules.

As an administrator, this means when configuring VPNs, NAT rules, and other rulesets, you do not have to worry about managing firewall rulesets as well. This reduces administration overhead and risk of intrusion due to human error.

Outbound filtering and filtering between different VLANs is managed with Outbound filtering firewall rules.

 

Quality of Service – QOS

When Linewize is deployed as an Edge device, QOS functionality is also available. Linewize supports two different types of QOS, Priority QOS and Rate Limiting.

Priority QOS allows administrators to prioritize traffic based on layer 2-7 criteria. This means https traffic going to YouTube could be prioritized over Facebook traffic or the likes. Priority QOS can be extended to apply to individual user groups or networks and is very flexible. Traffic is given a priority between 1-10. Traffic with a high priority will be prioritized over traffic with a lower priority.

Rate Limiting allows administrators to limit network flows, devices and users to certain transfer rates. For example, students could be limited to 10Mbit download each during the day to mitigate and control link congestion.

 

Virtual Machine Deployments

Network appliances are traditionally provisioned using dedicated physical hardware. Physical hardware has several disadvantages and is a single point of failure. Virtualization and cloud computing solves this problem and in an age of Sofware Defined Networking, the need for dedicated hardware for network firewalls is no longer a requirement nor recommended.

Linewize recommends deploying the Linewize Appliance as a Virtual Machine under VMware ESXi. VMware ESXi is an industry standard Hypervisor that packages with automatic failover, support for virtualized networking and high performance network offloading.

When deployed with VMware ESXi, the Linewize appliance is hardware and host agnostic and with VMware VMotion, can be completely redundant in the event of host failure.

 

 

Vmware Deployment-Deployments TWP.png

 

The Linewize Appliance is Linux based and comes in 64Bit and 32Bit variations. Installation is via a ISO download from our website and installation and basic setup can take as little as 5 minutes.

 

Hardware Requirements

When configuring a virtualized Linewize appliance, some thought into allocated virtualized hardware is required. Packet filtering is CPU intensive as opposed to Disk IO or Memory intensive.

 

Minimum Recommended Requirements

16Gb SCSI or IDE Disk

4Gb Memory

2.8Ghz Dual Core Processer

 

For large networks, we recommend scaling the CPU capacity, but leaving the HDD and Memory at the recommended defaults above. Exact requirements will depend on a combination of how many connected devices you have, the type and intensity of browsing, and your link size.

 

Virtual Networks and VSwitches

Deploying Linewize on VMware ESXi requires the use of Virtual Networks and VSwitches tied to the host adapters. Normally a minimum of two physical host adapters will be needed and VLANs and LACP bonding is fully supported by Linewize and VMware.

Much like physical deployments, a normal virtual deployment includes an uplink and downlink. Each link is virtually connected to a VMware Network, which is tied to a VSwitch and then a physical adapter.

 

Get the PDF version of this Technical Guide
Share this content:
Download PDF
    
As Recognised By