Load Balancing Firewall Load
Last updated
Last updated
Load-balancing equipment can distribute traffic by multiple firewalls.
Decrease processing and memory requirements of each firewall.
Allow for scalable growth of traffic.
Makes the network less vulnerable to DoS attacks.
When its also responsible to distribute policies/rules is called an Orchestrator.
IP Hash.
The IP address (or a set of flow identifiers) of the client is used to determine which server/firewall receives the flow or request.
Does not require state maintenance. Hash function output determines the target.
Round Robin.
Requests are distributed across the group of servers sequentially.
Can not be used with firewalls, if firewalls do not share a state.
Least Connections.
A new request is sent to the server/firewall with the fewest current connections.
The relative computing capacity of each server/firewall is factored into determining which one has the least connections.
“Smart”.
Based on an external source of information.
Interfaces have IP addresses.
Load balancers (or routers) route traffic as an IP next-hop.
Can provide routing services.
Replace routers.
Interfaces do not have IP addresses.
May have multiple-layer rules.
Load balancers (or switches) route traffic on a per-interface/VLAN basis.
Can not provide routing or NAT/PAT services.
Can not replace routers.
Load balancers may have (theoretical) isolated instances to handle different zones/groups.
With a set of firewalls per zone/group.
Physical or virtual partitions.
Some vendors call it group ports.
Balancers should share routing history.
Flow is sent always to the same firewall.
To avoid firewall state sharing (less load).
Balancers should share VLAN routing history.
Flow is sent always to the same VLAN/Firewall.
To avoid firewall state sharing (less load).
First Level of stateless firewalls for DDoS protection.
Second Level(s) of stateful firewalls for general protection.
Information from services may be used.
To free resources in the stateful firewalls.
Configure black/white list rules at the stateless firewalls.