Segurança Em Redes De Comunicações

Load Balancing Firewall Load

Load-balancing equipment can distribute traffic by multiple firewalls.

  • Decrease processing and memory requirements of each firewall.

  • Allow for scalable growth of traffic.

  • Makes the network less vulnerable to DoS attacks.

  • When its also responsible to distribute policies/rules is called an Orchestrator.

Algorithms

IP Hash.

  • The IP address (or a set of flow identifiers) of the client is used to determine which server/firewall receives the flow or request.

  • Does not require state maintenance. Hash function output determines the target.

Round Robin.

  • Requests are distributed across the group of servers sequentially.

  • Can not be used with firewalls, if firewalls do not share a state.

Least Connections.

  • A new request is sent to the server/firewall with the fewest current connections.

  • The relative computing capacity of each server/firewall is factored into determining which one has the least connections.

“Smart”.

  • Based on an external source of information.

Addressed Firewalls

Interfaces have IP addresses.

Load balancers (or routers) route traffic as an IP next-hop.

Can provide routing services.

  • Replace routers.

Stealth Firewalls

Interfaces do not have IP addresses.

  • May have multiple-layer rules.

Load balancers (or switches) route traffic on a per-interface/VLAN basis.

Can not provide routing or NAT/PAT services.

  • Can not replace routers.

Load-Balancers Instances

Load balancers may have (theoretical) isolated instances to handle different zones/groups.

  • With a set of firewalls per zone/group.

Physical or virtual partitions.

Some vendors call it group ports.

Redundant Load Balancers

Addressed Firewalls

Balancers should share routing history.

  • Flow is sent always to the same firewall.

  • To avoid firewall state sharing (less load).

Stealth Firewalls

Balancers should share VLAN routing history.

  • Flow is sent always to the same VLAN/Firewall.

  • To avoid firewall state sharing (less load).

Single Load Balancer

Multi-Levels of Defense

First Level of stateless firewalls for DDoS protection.

Second Level(s) of stateful firewalls for general protection.

Information from services may be used.

  • To free resources in the stateful firewalls.

  • Configure black/white list rules at the stateless firewalls.

PreviousHigh-AvailabilityNextBest Practices and Recommendations

Last updated