Network Security Spheres of Support

  • Last updated on: 2019-03-07
  • Authored by: NetSec Standardization Group

The Spheres of Support for Network Security (NetSec) lists the technologies and features in the network security domain and defines the support level for each item.

Firewall support

Firewall support contains the following elements:

  • Monitoring and management of network firewalls
  • Customized patching, rollback capabilities, and iOS updates
  • Problem, incident, and change management
  • Configuration changes on behalf of the customer
  • Performance monitoring and tuning
  • Configuration and support of internet protocol security (IPsec)-compliant Virtual Private Networks (VPNs)
  • Configuration and maintenance of firewall policies to restrict access to environments
  • Provision Virtual Local Area Networks (VLANs) and private IP space
  • Managed VPN access
  • Secure Scocket Layer (SSL) certificate installation and troubleshooting

The following table shows which features are supported in Cisco® and Juniper® firewalls:

  Feature Cisco ASA Juniper SRX
Interfaces VLAN tagged (Cisco trunk)
  VLAN untagged (Cisco access)
  Link Aggregation Control Protocol (LACP) bundling with a number of interfaces is a power of 2
Routing Static routing
  Static routing with Internet protocol service level agreement (IP SLA) tracking  
IPv6 Static routing
  Static routing with IP SLA tracking  
Network Address Translation (NAT) Static (one-to-one)
  Port Address Translation (PAT) (NAT overloading)
  Policy NAT/PAT
  Domain Name System (DNS) doctoring
  Connection limits via static NAT  
Packet filtering Layer 3/4 filtering ingress/egress
  Fully qualified domain name (FQDN) based filtering ✓ ASA 8.3+
  Outbound access control list (ACL)  
DDoS mitigation Connection limiting (embryonic, established, or both)
  Connection timeouts
  Transmission Control Protocol (TCP) normalization modification  
  Application inspection  
VPN Route-based VPNs - Border Gateway Protocol (BGP)
  Route-based VPNs - static
  IPsec - IKEv2 L2L with Pre-shared keys (PSK)
  IPsec LAN-to-LAN layer 3/4 filtering
  IPsec LAN-to-LAN PSK authentication
  IPsec LAN-to-LAN hub and spoke configuration
  IPsec remote access with group authentication  
  IPsec remote access with group and user authentication  
  IPsec remote access with two-factor authentication  
  IPsec remote access - multiple VPN groups  
  IPsec remote access with layer 3/4 filtering  
  IPsec remote access - split-tunneling  
  IPsec remote access - all traffic through VPN (tunnel all)  
  IPsec remote access - DNS server assignment  
  SSL VPN AnyConnect® Plus  
  SSL VPN - mobile client (plus license feature)  
  SSL VPN - two-factor authentication  
Management Buffered logging
  Log shipping to log correlation device within the customer’s account
  Simple Network Management Protocol (SNMP) read-only for customer
High Availability (HA) Active or standby (stateful and non-stateful) (clustering - Security, Routing, and Switching (SRX)) Adaptive Security Appliance (ASA) 5510 and above, ASA-X 5508, 5515 and above
Modes and modules Mode - multi-context routed  
  Mode - routed
RackConnect RackConnect VLANs termination  
RackConnect Global RackConnect Global (Private)

Load balancer support

Load balancer support contains the following elements:

  • Monitoring and management of load balancers
  • Problem, incident, and change management
  • Configuration changes on behalf of the customer
  • Performance monitoring and tuning

The following table shows which features are supported in F5® LTM®, Brocade® ADX, NetScaler® VPX, and NetScaler MPX load balancers:

Note: Citrix made the VPX software platform available in early access and will soon release it in limited access. They have not released the MPX hardware platform yet but currently are planning support for it.

  Feature F5 LTM Brocade ADX NetScaler VPX NetScaler MPX
Interfaces VLAN tagged (Cisco trunk)  
  VLAN untagged (Cisco access)
Routing Static routes Default route
IPv6 Static routes Default route
Packet filtering Layer 3/4 Ingress/Egress US - ✓
Intl - X
   
NAT Static (one-for-one)    
  PAT (NAT overload)    
  Source NAT pools on virtual servers
Load balancing Local servers Servers behind the load balancer (LB)  
  Remote servers in front of the LB
  Parallel Servers sitting as a neighbor to the LB
  Algorithms - static (round robin or weighted round robin)
  Algorithms - dynamic (least connections)
  Healthchecks - ICMP echo
  Healthchecks - Layer 4 TCP (port socket check) and UDP (port rejection)
  Healthchecks - Layer 7 HTTP (response code, string search, checks on non well-known ports)
  Healthchecks - Layer 7 HTTPS (SSL hello, Response Code, String Search, Checks on non-well-known ports)
  Transmission Control Protocol (TCP)/User Datagram Protocol(UDP) virtual servers (catchall, single port)
  Stateful Networked Address Translation (SNAT)
  HTTP Redirects
  Universal Resource Identifier (URI) load balancing
  SSL offloading
  Pools - single node: port combination (multiple ports on a server)
  Pools - connection limits (pool, node)
  Pools - priority group activation      
  LB - pools - group monitor applied to all pool members  
  LB - pools - individual monitors applied to each pool member
  LB - pools - combination of individual and group monitors across different pool members  
  LB - application profiles - HTTP (OneConnect, custom HTTP profile settings)  
  LB - application profiles - SSL (client and server)
  LB - application profiles - FTP (active and passive)  
  Persistence - TCP - source IP
  Persistence - HTTP cookie: LB generated, server generated
  Persistence - HTTP custom cookie name  
  Persistence - cookie encryption  
  Persistence - UDP - source IP
  LB - virtual servers - SNAT pools
Scripting iRules ✓ (Limited)      
Management Logging - local buffered logging
  Logging - log shipping to log correlation device (within customer’s account)
  Management - SNMP read-only for customer
HA High availability ✓ ADX 1000 only
  HA - active or standby
Modes and modules Routed (single and multiple route domains) default gateway for back end servers  
  Mode - edge net device ✓ with AFM      
  Multiple segments behind LB  
Interface filtering is
RackConnect RackConnect VLANs termination RCV2 - X
RCv3 - ✓
   
RackConnect Global RackConnect Global (Private) ✓(AFM only)      
SSL VPNs SSL client VPN on edge Big-IPs using APM module      
SNI Server name indication

Global load balancer

The following table shows which global load balancer features are supported in F5 LTM, Brocade ADX, NetScaler VPX, and NetScaler MPX load balancers:

  Feature F5 GTM ADX GSLB NetScaler VPX NetScaler MPX
Interfaces VLAN tagged (Cisco trunk)      
  VLAN untagged (Cisco access)      
  LACP bundling with the number of interfaces is a power of 2      
Routing Static routes      
IPv6 Static routes      
Load balancing Single listener address      
  Servers - BIG-IP system (single)      
  Servers - BIG-IP system (redundant pair)      
  Virtual servers - manual configuration      
  Wide IPs - standard FQDN names      
  Wide IPs - standard FQDN alias names      
  Wide IPs - single pool, multiple virtual server members      
  Algorithms - static - round robin, ratio (weighted round robin), Global Availability      
  Algorithms - dynamic - least connections      
DNS Authoritative name server for specific sub-delegated domains      
Management Buffered logging      
  Log shipping to log correlation device (within customer’s account)      
High availability (HA) Synchronization groups      
  Redundant GTM devices specified as primary and secondary DNS servers      
Modes and modules Serial configuration      
  Parallel configuration      
  Standalone BigIP with GTM license      

Cisco Content Service Switches support

End of support for Cisco Content Service Switches (CSS) occurred on September 30, 2014. Customers that continue to use the platform fall under the Extended Lifecycle Support agreement. Any support is considered a reasonable endeavor.

Redhill® WebMux support

End of support for the Redhill MebMux load balancer occurred on September 1, 2014. Customers that continue to use the platform fall under the Extended Lifecycle Support agreement. Any support is considered a reasonable endeavor.

Note: Rackspace makes every effort to align our support dates for operating systems with the manufacturer’s support dates. If a manufacturer decides to shorten the support life of an operating system, Rackspace might be forced to end support sooner than originally anticipated. For full details on support life, see the Rackspace End of Life Terms.

DDoS mitigation

Be aware that Rackspace does support the mitigation of the Distributed Denial of Service (DDoS) feature.

Disclaimer

The information contained in this document is a general introduction to the Rackspace Services and does not include any legal commitment on the part of Rackspace.

Except as set forth in the agreements you sign with Rackspace, Rackspace assumes no liability whatsoever, and disclaims any express or implied warranty, relating to its services including, but not limited to, the implied warranty of merchantability, fitness for a particular purpose, and no infringement.

Although part of this document explains how Rackspace services may work with third-party products, the information contained in the document is not designed to work with all scenarios. Any use or changes to third-party products and configurations should be made at the discretion of your administrators and are subject to the applicable terms and conditions of such third party. Rackspace does not provide technical support for third-party products, other than specified in the agreement or agreements you have with Rackspace, and Rackspace accepts no responsibility for third-party products.

Rackspace cannot guarantee the accuracy of any information presented after the date of publication. Copyright © 2019 Rackspace, Rackspace®, Fanatical Support®, Fanatical Experience™, and other Rackspace marks are either registered service marks or service marks of Rackspace US, Inc. in the United States and other countries. All other trademarks, service marks, images, products, and brands remain the sole property of their respective holders and do not imply endorsement or sponsorship.

Share this information: