Load balancing firewalls

A alternative is the use of "load balancing firewalls". Multiple firewalls can be deployed for scalability and reliability but the trick is in balancing the traffic on inbound and outbound paths through different firewalls. There are different ways to realize this idea.

Multiple firewalls are combined to a firewall farm. One single firewall is called the firewall master which delegates traffic to the other firewall slaves. It may use a hashing algorithm based on information of the TCP/IP-Headers to allocate traffic to the slaves. The firewall master uses ICMP-Redirects to specify which firewall slave will deal with the incoming packet. The redirect information is sent to the routing instance in front of the incoming interface. This algorithm guarantees that routers and firewalls of various vendors interact well. In fact this algorithm means that single streams are balanced and not really the load itself is balanced, i.e. a single stream of 10 Gb/s is transferred across one firewall slave.

Figure 1: master/slave load balancing

Another approach is the usage of a round robin algorithm. The master delegates each incoming packet to a different firewall. However since this is real load balancing because the stream is distributed across different firewall slaves new problems arise. First an algorithm has to be found how to delegate the packets. Using ICMP-Redirects results in additional load and this leads to degradation of the network performance. The introduction of special load balancing devices located in front and behind the firewall farm could solve this problem. These devices use routing tables and exchange routing information. The second problem is, that firewalls may or may not be synchronous: Synchronous firewalls share connection information among each other, so the data for a given connection can go through any firewall. Non-synchronous firewalls do not share connection information and traffic must be revalidated each time it goes through a new firewall. Because of the huge amount of state information to be exchanged the round robin algorithm is not practicable.

Figure 2: load balancing devices

The use of load balancing devices in front of and behind the firewall is a common approach. Although they do currently not use a round robin approach, they use configurable algorithms. Some vendors allow the definition of certain hash algorithms and load balancing based on different sessions. Moreover the devices allow a proper handling of certain protocols like FTP. However it is not sufficient to use such devices as long as they do not fit the performance requirements.

Currently load balancing is based on hashing algorithms using address and port information from the protocol headers. Though load balancing systems allow the distribution of different streams but they do not allow load balancing of one single high speed data connection.

Attachments:

MasterSlaveLoadBalancing.png [LoadBalancingFirewalls/MasterSlaveLoadBalancing.png] LoadBalancingDevices.png [LoadBalancingFirewalls/LoadBalancingDevices.png]