What is Firewall Load Balancing (FWLB)?
Firewall Load Balancing is a deployment architecture where multiple firewall systems are placed behind Server Load Balancers. Network traffic through the firewall systems is load balanced to the group of firewalls providing a scalable and highly available security infrastructure.
Security firewalls are mission critical for any network infrastructure. A robust security infrastructure requires a reliable, highly-available and scalable firewall infrastructure. Business activities are severely hindered or halted altogether when Internet connectivity fails. Firewall infrastructures are crucial to ensure business continuity.
Best-in-class firewall architectures include some form of load balancing solution. This article will describe a cluster of firewall systems load balanced behind Application Delivery Controller (ADC) network load balancing systems.
Firewall Load Balancing Solution
An array of firewall systems which are configured in a load balanced configuration are sandwiched between Server Load Balancing systems. Traffic from the Internet is directed to one firewall within a group of firewalls. Traffic from the organization’s internet work is distributed in a similar fashion.
Server Load Balancing systems track network sessions. New network connections are load balanced to the least loaded firewall. Traffic from established sessions are routed to the same firewall to maintain packet inspection and ongoing security analysis.
Firewall Load Balancing Benefits
Firewalls are required to transfer ever increasing amounts of traffic between insecure networks. Each packet passing through each firewall has to be inspected, analyzed, compared to network control policies and security rules and often modified. Firewall systems are basically computer systems, and the complex processing requires compute resources for CPU, memory and network data transfers. Firewalls have a limit on the amount of network traffic that can be supported.
Adding additional firewall systems is required. In a load balanced configuration, additional firewalls can be added dynamically to increase capacity. Firewall capacity can be added live without affecting the existing firewall systems.
Load balancing for application servers is common to provide highly-available application infrastructures. This same technique works for firewall systems. When multiple firewalls are load balanced, any single firewall failure does not cause serious outages. User sessions which were served by the failed firewall are routed to other firewall systems and user sessions are re-established.
Firewall maintenance is difficult in non-load balanced environments. Changing security policies on live systems can easily cause unforeseen issues and outages. Systems behind an ADC load balancer can be removed from service without user disruption, and either upgraded, replaced or updated with new security policies. These systems can be tested by operations before returning to an operational state.
- Application Delivery Controllers (ADC)
- Application Load Balancing
- Firewall Scale-Out
- Firewall Clusters