in black and white
Main menu
Home About us Share a book
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics

Load Balancing Servers, Firewalls and Caches - Kopparapu C.

Kopparapu C. Load Balancing Servers, Firewalls and Caches - Wiley Computer Publishing, 2002. - 123 p.
ISBN 0-471-41550-2
Download (direct link): networkadministration2002.pdf
Previous << 1 .. 51 52 53 54 55 56 < 57 > 58 59 60 61 62 63 .. 70 >> Next

Network Design for Layer 2 Firewalls
Network Design for Layer 2 Firewalls
Let’s first consider the case where the load balancer acts as a Layer 2 device. Since the firewalls are Layer 2 as well, the only next hop for router A is router B, in order to reach the internal network, as shown in Figure 6.8. So router A must be configured to point to router B as the next hop, as there is no Layer 3 device in between router A and router B. Once the load balancer receives packets from the router, it performs the usual load balancing and session persistence. But there is a Layer 2 loop in this topology between the load balancers and the Layer 2 firewalls, as shown in Figure 6.9. Therefore, the load balancer must have special functionality built in to avoid the Layer 2 loops as part of its traffic distribution for firewall load balancing.
Network design when the load balancer acts as a Layer 2 device
Figure 6.8: Network design for Layer 2 firewalls.
Layer 2 loop exists whether rite load balancer acts as a Layer 2 or I ayer 3 device.
Figure 6.9: Layer 2 loops in Layer 2 firewall load-balancing designs.
In this case, once router A sets the destination MAC address to that of router B for the packet on its way to the internal network, the MAC address does not get modified, since there is no Layer 3 device in between routers A and B.
Let’s now consider the case where the load balancer acts as a Layer 3 device. Now, router A sees load balancer 1 as the next hop to reach the internal network. Load balancer 1 sees load balancer 2 as the next hop and load balancer 2 sees router B as the next hop to reach the internal network. When load balancer 1 is sending packets to load balancer 2 through the firewalls, it must set the destination MAC address to that of load balancer 2 before sending the packet to the firewall. Since the firewall is a Layer 2 device, once it decides to allow the packet, it forwards the packet at Layer 2, based on the destination MAC address.
Advanced Firewall Concepts
In this section we will cover some advanced firewall concepts that affect firewall load-balancing design or behavior.
Synchronized Firewalls
When a session is initiated, the firewall determines whether to allow it, based on the security policies. If the firewall allows the session, it maintains a context for the session to forward all subsequent packets for that session until the session is terminated. But only one firewall is aware of the information about a given session at any given time. If a firewall fails, the load balancer can send the session on the failed firewall to other
Firewalls Performing NAT
firewalls. But the other firewalls will block the traffic for those sessions because they do not have the necessary context. The sessions must be terminated and reestablished to pass through the firewalls. Firewall synchronization addresses this problem. The exact support for synchronization varies from one firewall product to another. In firewall synchronization, a firewall shares the session context with other firewalls so that any firewall may process the traffic for a given session. Nevertheless, firewalls will typically require that all traffic for a given session must pass through only one firewall, as long as it is up and running, for performance reasons. If a firewall fails, the load balancer may send the traffic to another firewall, which has already obtained the context information from the failed firewall. As the number of firewalls increases, synchronization causes a lot of overhead and can slow down the performance because each firewall must process the synchronization messages from every other firewall.
If firewalls are synchronized, we can get stateful failover in firewall load balancing when a firewall fails, so that traffic for any existing sessions continues to flow uninterrupted.
Firewalls Performing NAT
Many firewalls provide built-in support for Network Address Translation (NAT) so that the internal network can have private IP addresses. We care about NAT in firewall load balancing because it may break the session persistence to firewalls. When a firewall performs NAT, as shown in the configuration in Figure 6.10, it changes the destination or source IP address in the packet depending on the direction of the packets. Each firewall is configured with an IP address for use in NAT. When firewall 2 receives a request packet originating from inside client going to outside network IP address, it changes the source IP address from to the NAT address
Figure 6.10: Load-balancing firewalls that perform NAT.
If we use stateless load balancing, the load balancer on each side will be hashing on different values because the firewalls change the IP address as part of NAT. Let’s suppose that the load balancers hash on source and destination IP addresses in each packet to select a firewall. When load balancer 1 sees the reply packet from IP address going to, load balancer 2 sees the request packet going from to This can lead each load balancer to pick a different firewall for the same session, thus breaking the session persistence. To avoid this, the load balancer must implement additional logic to send any traffic destined to a NAT IP address to the corresponding firewall instead of load balancing it. In this example, load balancer 1 should simply forward the reply packet to firewall 2 because the destination IP address in the packet is the NAT address of firewall 2.
Previous << 1 .. 51 52 53 54 55 56 < 57 > 58 59 60 61 62 63 .. 70 >> Next