A Security Administrator wants to reduce the load on Web servers located in a DMZ. The servers
are configured with the same Web pages for the same domain, and with identical hardware. Which
of the following is the BEST answer to help balance the load on the Web servers?
A.
Round Trip
B.
Round Robin
C.
Server Load
D.
Domain
E.
Cluster
Explanation:
‘Round Robin’ does not take into account the actual load on a server, it just passes from one to
another. ‘Server Load’ would be better solution as it measures the actual load each server is
under.
Load Balancing Algorithms
After learneing about the methodologies the logical server/firewall
uses to route traffic, you need to consider the algorithms used to decide which
server in the server farm will get the load-balanced connection. Check Point
provides five algorithms for the logical server; the administrator decides which
of these algorithms to use. The algorithms are called
server load , round trip , round robin , random , and domain
. We’ll describe these algorithms next.
1. The server load algorithm, shown in Figure below, works in conjunction
with a load agent that runs on each server in the server farm. The load agent
is a small program that communicates to the firewall how busy the machine is.
The machine with the lightest load is sent the next packet.
You can download this load agent
from Check Point’s website (only available for Solaris) or write one using the OPSEC APIs
provided by Check Point on the OPSEC website ( www.opsec.com ). The load agent uses UDP
port 18212
by default. The firewall checks the load on each server at the configured time
and passes the connection to the server that has the lightest load.2.The round trip algorithm uses ping to decide which server gets the request, as depicted in
Figure below. The round trip algorithm is much simpler than the server load algorithm, but not as
intuitive-it cannot measure the load on the servers. Therefore, the round trip algorithm’s decision is
based solely on network factors rather than the server load. When you use round trip, the server with the
least traffic will answer first. The server with the most traffic will be too busy to answer, and the
packet will be delivered to the machine that answers first.The drawback to using the round trip method is that the server closest to the
firewall usually gets the connection.
3. The round robin algorithm, shown in Figure below, is not very intelligent.
This algorithm begins with the first server in the server farm and gives it the
first connection. The second connection goes to the second server in the
server farm, the third goes to the third, and so on. When the algorithm
reaches the bottom of the list, it starts over.4. Next in the list of load balancing algorithms is random. Do you remember
the method you used to choose teams when you were a kid? Eenie, Meanie,
Minie , Mo ! That is the same method the firewall uses. The random algorithm
is illustrated in Figure below.5. Last is the domain algorithm. With this algorithm, the firewall chooses
the closest server based on domain names. Figure below shows an illustration
of the domain algorithm in action. There is an issue with the domain algorithm. Check Point
doesn’t recommend using it, because it creates a noticeable delay for requests due to the
required reverse DNS lookups. In today’s e-business environment, any delay
experienced by users accessing your website could be disastrous. This algorithm
was originally designed for clients in Europe and the rest of the world, where
they use country names at the end of their URLs (such as www.company.uk ) For example, in
Figure below, if a client in the U.K. is trying to connect to a website for a global company based in
France, the initial connection goes to the logical server in France. At this point, the closest server
is in France , and it would be
“logical” to send the connection to the server in France . Unfortunately, the
domain algorithm will send packets back to the client in the U.K. and redirect
them to the server located in the U.K. , wasting precious time in the connection
setup. This is an effective method only if all your servers are located in Europe
and the client is also located in Europe .To sum up, Check Point offers five algorithms-but in our opinion, only
one is a true load balancing method. The server load algorithm is the only
method that takes into account the actual load on each server. The rest of the
algorithms don’t consider how busy each server is in the server farm. As the
administrator, you should check out all methods of load balancing (both
Check Point and non-Check Point) before deciding which one is best for
your situation.