Load Balancing Firewall Load
Load-balancing equipment can distribute traffic by multiple firewalls.
Decrease processing and memory requirements of each firewall.
Allow for scalable growth of traffic.
Makes the network less vulnerable to DoS attacks.
When its also responsible to distribute policies/rules is called an Orchestrator.
Algorithms
IP Hash.
The IP address (or a set of flow identifiers) of the client is used to determine which server/firewall receives the flow or request.
Does not require state maintenance. Hash function output determines the target.
Round Robin.
Requests are distributed across the group of servers sequentially.
Can not be used with firewalls, if firewalls do not share a state.
Least Connections.
A new request is sent to the server/firewall with the fewest current connections.
The relative computing capacity of each server/firewall is factored into determining which one has the least connections.
“Smart”.
Based on an external source of information.
Addressed Firewalls
Interfaces have IP addresses.
Load balancers (or routers) route traffic as an IP next-hop.
Can provide routing services.
Replace routers.
Stealth Firewalls
Interfaces do not have IP addresses.
May have multiple-layer rules.
Load balancers (or switches) route traffic on a per-interface/VLAN basis.
Can not provide routing or NAT/PAT services.
Can not replace routers.
Load-Balancers Instances
Load balancers may have (theoretical) isolated instances to handle different zones/groups.
With a set of firewalls per zone/group.
Physical or virtual partitions.
Some vendors call it group ports.
Redundant Load Balancers
Addressed Firewalls
Balancers should share routing history.
Flow is sent always to the same firewall.
To avoid firewall state sharing (less load).
Stealth Firewalls
Balancers should share VLAN routing history.
Flow is sent always to the same VLAN/Firewall.
To avoid firewall state sharing (less load).
Single Load Balancer
Multi-Levels of Defense
First Level of stateless firewalls for DDoS protection.
Second Level(s) of stateful firewalls for general protection.
Information from services may be used.
To free resources in the stateful firewalls.
Configure black/white list rules at the stateless firewalls.
Last updated