TEMPESTA FW

Tempesta FW is an all-in-one open-source solution for high performance web content delivery and advanced protection against DDoS and web attacks. This is a drop-in-replacement for the whole web server frontend infrastructure: an HTTPS load balancer, a web accelerator, a DDoS mitigation system, and a web application firewall (WAF).

Tempesta FW is the first and only hybrid of a Web accelerator and a multi-layer firewall. This unique architecture provides efficient blocking of any malicious traffic and outstanding performance of web applications in normal operation. The architecture is the result of collecting and application of state-of-the-art research and cutting edge technologies.

Tempesta FW services up to 1.8M HTTP requests per second on the cheapest hardware. The benchmark results are open and can be easily proven. Our performance results are beyond the reach of other modern web accelerators.

Watch the Tempesta FW demo in the Security Weekly show - Fast And Secure Web.

Tempesta FW web accleration features
FEATURES

The fastest web accelerator
Web acceleration

Tempesta FW uses TempestaDB, a very fast in-memory database, to serve as a web cache.

While most modern web accelerators are unable to pipeline HTTP requests, Tempesta FW can pipeline HTTP requests utilizing backed server connections more efficiently.

Tempesta TLS, the performance optimized fork of proven mbedTLS library, offloads TLS encryption from your servers and efficiently mitigates TLS handshake DDoS attacks. Tempesta TLS is almost x2 faster than Nginx/OpenSSL and provides up to x4 lower latency.

High-performance HTTP load balancer
Load balancing

Tempesta FW uses machine learning to dynamically learn and predict changes in the performance and the availability of each of your backend servers. There is no need to configure and maintain many different weights in your web cluster!

Also Tempesta FW provides reach set of traditional load balancing strategies such as persistent sessions, complex conditional statements over almost any set of HTTP request fields, weighted round-robin, rendezvous hashing.

web application firewall
Web security

Tempesta FW is a hybrid of web accelerator, load balancer, and application layer firewall. It analyzes HTTP traffic immediately as it arrives to a network adapter. Any malicious traffic is dropped early at the IP layer saving system resource for really useful work.

Tempesta FW provides the Frang module for fine-grained HTTP filtering to protect against various types of HTTP DDoS and web attacks.

A sticky cookie module provides unique identification of each client and efficiently challenges DDoS bots.

application performance monitoring
Application performance monitoring

Tempesta FW dynamically monitors upstream server performance and using machine learning algorithms predicts how that performance will change in the near future. Adaptive load balancing leverages that data to forward client requests to the server that has, or is expected to have, the smallest workload.

Tempesta FW measures the delays between when client requests are forwarded to the upstream server and the server response. That data is collected and analyzed, so system administrators can monitor online statistics for each backend server.

High-performance HTTPS accelerator
PERFORMANCE

Tempesta FW is designed to deliver the highest performance in HTTP processing under various workloads. High performance servicing of unusual traffic is crucial for resistance against complex DDoS attacks, including targeted DDoS attacks. Most types of HTTP floods can be mitigated without any configuration effort thanks to the fast processing engine.

How the results were achieved

The core of HTTP processing is the fastest HTTP parser. Tempesta FW uses the full power of modern x86-64 instruction set along with the new algorithms for fast HTTP strings processing. A highly optimized in-memory database using the new CPU cache-conscious data structure services the web cache. Tempesta FW works as a part of Linux TCP/IP stack eliminating traditional I/O queues, context switches and copyings. Advanced techniques working with packet fragments are used to adjust HTTP headers in zero-copy fashion. A special high-efficient inter-CPU transport is used to proxy network packets among TCP sockets with minimal inter-CPU traffic. All the things combined make the most efficient web accelerator and HTTP filter.

Our Wiki page describes details on the benchmark, so you can reproduce the results for yourself.

efficient DDoS bots and web attacks blocking
HOW IT WORKS

  1. The IP packet is received by the network adapter and quickly verified against filtering tables.
  2. The HTTP request is immediately parsed in OS's deferred interrupt while the data is still hot in CPU caches.
  3. The request is analyzed by Frang module responsible for detection of HTTP DDoS and web attacks. If the request is classified as malicious, then the attacker is blocked at IP layer and all subsequent requests from them are blocked at step 1.
  4. Otherwise the request is serviced from the cache or forwarded to an upstream server according to the established load balancing policy. The web cache and filtering database are built on top of TempestaDB.
Tempesta FW archtecture

More about high performance HTTP processing

Tempesta FW is built into the Linux TCP/IP stack for better and more stable performance relative to most modern HTTP accelerators and load balancers. This unique technology makes HTTP filtering almost as fast as the filtering at IP layer. Meantime, normal HTTP requests are serviced immediately, without overheads in queues, context switches, and without any need to make copies.

Not only that, but it provides the same user experience as traditional web accelerators and HTTP loadbalancers in normal Linux installations. It can be installed in almost any server and is easier to use than the average hardware appliance. Unlike web servers built on top of user-space TCP/IP stacks (e.g. using DPDK, Netmap etc.), you can use standard Linux tools like IPTables, tc, LVS, and tcpdump to manage HTTP traffic without making many data copies.

Our Netdev 2.1 paper discusses issues with modern web accelerators and describes Tempesta FW's design. The presentation, also available at the link, addresses several unique technologies and algorithms for high performance HTTP protocol processing and proxying.

TempestaDB: fast in-memory database
TEMPESTA DATABASE

TempestaDB was designed to store a web cache and filter rules. However, it provides a common user-space interfaces for persistent key-value data storage, which can be then accessed from web applications. The tdbq user-space tool modifies and queries stored data.

The libtdb library provides access to the database from user space so you can use TempestaDB as an embedded database. Unlike traditional embedded databases, TempestaDB can be used by many processes concurrently. As a result of that, the database has much lower overhead for data transport than client-server databases.

More about TempestaDB

The database employs a number of cutting-edge technologies such as cache-conscious lock-free burst hash trie for the index, NUMA-aware records distribution and replication, huge pages, zero-copy data transport between users and kernel spaces, and SSE4.2 instruction set of x86-64. The usage of hardware transactional memory is considered for further releases.

Watch our presentation Linux Kernel Extension for Databases from Percona Live 2016 to learn mode about TempestaDB design, motivation and further directions in the database development.

Tempesta FW for security DevOps
DEPLOYMENT

High availability

The reliability of a web cluster is extremely important. Please check the Wiki page for scenarios of highly available Tempesta FW installations.

Clouds

Tempesta FW can be deployed in clouds as well as on bare metal. You can learn more about cloud installation in our Wiki.

Installation

You can install Tempesta FW from sources or prebuilt packages. System requirements can be found on our Wiki.

high-performance and secure web consulting
SUPPORT

We can help you install and configure Tempesta FW as well as tune your operating system to ensure maximum performance. Our experts have years of experience in high-performance network traffic processing and databases, including both the development and management sides. We’d be happy to help you build a high-performance, scalable, and highly available system.
Please email us at .