Figure 10.1 A good topology for performance has layers that do one thing and do it well. This one
has a sprayer, with a hot standby, that takes incoming requests and routes them to one of three
identical web servers. The web server can then request services to build dynamic content from any
of the available web application servers behind the corporate firewall, which in turn can use
database or transactional servers.
Edge servers can provide these functions:
Firewall. A firewall is a hardware or software layer that sits between two
zones. In our architecture, we have firewalls between our DMZ and the
public Internet, and between our DMZ and the private intranet. Two
major kinds of firewalls are filtering and proxy . A filtering firewall, usu-
ally implemented in a router, filters packets, or atomic TCP/IP mes-
sages, for security and performance. A proxy firewall allows or denies
outbound traffic based on an existing security policy. For example, a
systems administrator could block MP3 access with this type of firewall.
In our architecture, we have two firewalls, which are configured with
two different security policies. With such a configuration, only the most
sophisticated attack penetrates both firewalls.
Spraying/load balancing. A sprayer is a network node responsible for
taking requests to a single destination and fanning them out to multiple
physical machines. Usually, a sprayer is identified with a DNS name so
that the user community doesn't need to be partitioned. A load