Download (direct link):
Multizone Firewall load balancing
Thb approach requires for each firewall to have foui network interface.
Figure 6.14: Interaction between firewalls and load balancers, part 1.
While using four network interfaces in each firewall provides the maximum scalability, some firewalls cost a lot more to provide the extra network interfaces. To avoid getting firewalls with four interfaces, we can connect half the firewalls to each load balancer, thus requiring only two network interfaces per firewall, as shown in Figure 6.15. Figure 6.15 illustrates how four firewalls would be divided between the load balancers. Each load balancer can either distribute the traffic among the firewalls directly connected to itself, or distribute the traffic among all firewalls by accessing the other two firewalls through the other load balancer. While this design is simple and can cost less because of the fewer network interfaces, the disadvantage is that we lose access to half the firewalls if a load balancer fails. But this may be an acceptable trade-off for many users.
With (his approach, it's sufficient to have two interfaces per firewall, hut when a load balancer fails we lose access to luilf llie firewalls
Figure 6.15: Interaction between firewalls and load balancers, part 2.
No matter which design we choose, high-availability firewall load balancing will involve some amount of complexity. But, in return, the network administrators may enjoy the reliability and fault tolerance this design provides.
Multizone Firewall load balancing
So far, we have discussed network configurations in which firewalls have two interfaces connecting to the outside and inside networks. The firewalls enforce a common set of access-control policies for all hosts in the inside network. What if we could carve out two different types of inside networks, where one zone is more restrictive of access from outside networks than the other? Many times, network administrators like to create a separate zone for all hosts such as Web servers or FTP servers that can be accessed from anywhere in the outside network. Load-balancing firewalls that enforce separate access policies for different zones is known as multizone firewall load balancing. The zone created for Web servers and FTP servers allows access by outside clients and is also referred to as the demilitarized zone (DMZ), as shown in Figure 6.16.
VPN load balancing
Figure 6.16: Firewall with multiple zones.
Figure 6.17 shows an example of multizone firewall load balancing. Here, the load balancer identifies the destination zone for each packet and forwards the packet to the appropriate firewall in the selected zone. To accomplish this, we must configure the load balancer to identify the network addresses that belong to different zones.
Internal network Demilitarized zone Figure 6.17: Multizone firewall load balancing.
Multizone firewall load balancing can quickly become very complex as the number of zones increases. If we need a high-availability design in multizone configuration, the number of boxes in the design will become quickly unmanageable. Fortunately, some load-balancing products can consolidate the functionality of different zones into one load balancer. This can simplify the design by reducing the number of load balancers required.
VPN load balancing
Virtual Private Network (VPN) devices are special firewall devices that allow secure connectivity between two computers over a public network. Typically, VPN devices are used for secure communication over the Internet between a corporate office and different branch offices. IPSEC is an industry standard protocol used by VPN devices to communicate between each other. A VPN device typically functions as a firewall, while simultaneously providing the VPN functionality. Load-balancing VPN connections may require special work, but it depends on exactly how the VPN devices work. IPSEC-based traffic is encrypted except for the IP header that shows source and destination IP address. Users should check with their load-balancing product vendor for specific interoperability test results between a VPN product and the load balancers.
Because firewall is an essential component for all enterprise networks, firewall load balancing is a great tool for network administrators to solve firewall scalability, manageability, and availability. Just as in server load balancing, stateful firewall load balancing is a technically superior way to provide stateful failover and fine load distribution. By using active-active design for load balancers and synchronized firewalls, we can get the highest levels of availability and provide stateful failover in case of a firewall or load-balancer failure. Firewall load balancing can get quite complex to design, especially when requiring high availability or multizone firewall load balancing.
Chapter 7: Load-Balancing Caches
This chapter introduces the fundamental concepts of caching and provides a high-level overview of how caches work and how they can be deployed. We then examine the issues driving the need for intelligent switching and load balancing of cache and discuss the various methods for cache load balancing.