Load Balancing Firewall Load

PreviousHigh-Availability NextBest Practices and Recommendations

Last updated 1 year ago

Load-balancing equipment can distribute traffic by multiple firewalls.

Decrease processing and memory requirements of each firewall.
Allow for scalable growth of traffic.
Makes the network less vulnerable to DoS attacks.
When its also responsible to distribute policies/rules is called an Orchestrator.

Algorithms

IP Hash.

The IP address (or a set of flow identifiers) of the client is used to determine which server/firewall receives the flow or request.
Does not require state maintenance. Hash function output determines the target.

Round Robin.

Requests are distributed across the group of servers sequentially.
Can not be used with firewalls, if firewalls do not share a state.

Least Connections.

A new request is sent to the server/firewall with the fewest current connections.
The relative computing capacity of each server/firewall is factored into determining which one has the least connections.

“Smart”.

Based on an external source of information.

Addressed Firewalls

Interfaces have IP addresses.

Load balancers (or routers) route traffic as an IP next-hop.

Can provide routing services.

Replace routers.

Stealth Firewalls

Interfaces do not have IP addresses.

May have multiple-layer rules.

Load balancers (or switches) route traffic on a per-interface/VLAN basis.

Can not provide routing or NAT/PAT services.

Can not replace routers.

Load-Balancers Instances

Load balancers may have (theoretical) isolated instances to handle different zones/groups.

With a set of firewalls per zone/group.

Physical or virtual partitions.

Some vendors call it group ports.

Redundant Load Balancers

Addressed Firewalls

Balancers should share routing history.

Flow is sent always to the same firewall.
To avoid firewall state sharing (less load).

Stealth Firewalls

Balancers should share VLAN routing history.

Flow is sent always to the same VLAN/Firewall.
To avoid firewall state sharing (less load).

Single Load Balancer

Multi-Levels of Defense

First Level of stateless firewalls for DDoS protection.

Second Level(s) of stateful firewalls for general protection.

Information from services may be used.

To free resources in the stateful firewalls.
Configure black/white list rules at the stateless firewalls.