Firewall Overview


Before we progress into the murky depths of firewall load balancing it is important to understand that there are many different methods used by firewall manufacturers to provide security. Today, the majority of firewalls are stateful.

Stateful Firewall

This means that the firewall needs to see the entire session between source and destination and will hold a virtual session open allowing the flow of traffic. This allows network administrators control over all protocol types and ensures that only bonafide initiated sessions are given access.

While a stateful firewall is without a doubt the best method to protect a site, it is easy to see the overhead that can be placed on these devices. A typical TCP session setup would progress through the following steps:

  1. TCP SYN arrives at firewall

  2. Once the packet has been read in to the software, it will check against its policies to see if it is from a valid network and for a valid service.

  3. In addition, the SIP, DIP, Sport, Dport, sequence, and acknowledgment numbers are recorded before the packet is forwarded through the firewall.

  4. On receipt of the TCP SYN ACK, the firewall needs to ensure that it is from a valid network and that it is a response to the TCP SYN already recorded in its state table.

  5. On determination that this is a valid session, the forwarding of the data portion of this session is passed into a fast path or express forwarding engine. This is done to relieve the overhead associated with inspecting every single packet.

  6. On receipt of the TCP FIN and subsequent FIN ACKs, the firewall will delete the session from its state table.

The reason for showing the typical steps associated in session validation is to demonstrate the intelligence and effectiveness of a firewall while illustrating the processor- intensive functions required. Remember that the firewall will need to carry out this type of inspection for every TCP session, and this, in large or busy sites, can be in the thousands, if not tens of thousands, per second.

It would be fair to say that this is a very broad overview, and each firewall manufacturer will have their own algorithm and method by which they first validate the connection and then forward that session as quickly as possible. It is not our intention to discuss each method in detail, but suffice it to say that a stateful firewall is a very complex and intelligent device. Other applications such as NAT also need to be performed somewhere within this process. Again, each manufacturer has their own way and order in which this is implemented. But again, these types of requirements place large overheads on firewall processors and this ultimately impacts network performance.

Firewall Synchronization

To provide resilience, often two firewalls are deployed. These can be in active standby mode or in active active mode. Because stateful firewalls hold those virtual sessions, it is easy to have this session table copied between firewalls, ensuring that they all have the same view of the network. By doing this, firewalls allow for a failure to occur on any firewall and the recovery is transparent to the user . This method is great for resilience, but still needs to rely on some software or hardware to load balance the incoming and outgoing packets. In addition, the total sessions supported are equal to that of a single firewall, as each firewall needs to have an exact replica of the other's session table. This is great for resilience, but does ensure that designs take into account the total sessions possible and deploy the correct firewall to cater for the requirement.

Layer 2 Firewalls

Most firewalls today are routed firewalls. In other words, they have an IP address on the dirty side and an IP address on the clean side and they route the packet from one interface to the other if the policy allows access. Traditionally, this has been the only method and one that is accepted as being satisfactory. However, with the emergence of time-sensitive applications and considerable external threats, some manufacturers offer the ability to provide a Layer 2 firewall.

As can be expected, this relies on Layer 2 addressing for forwarding but still ensures that the packet, with all its Layer 3 and 4 information, is validated for access. It basically sits in the data path like a Layer 2 switch does today and inspects each packet passing through the device. By not actively participating in the Layer 3 routing process, it is able to " invisibly " inspect the data, and it is this that makes it appealing to some customers. This type of firewall has many advantages:

  • Organizations that have a large investment in routed networks and legacy application need not make any changes to network topology.

  • Deployment is very easy, as no address change to any devices is required.

  • Backout or uninstallation is simple, as no address changes are needed.

  • As the device has no public facing IP address, it is very difficult to hack or connect to.

  • It is invisible to users and can be deployed in environments where there is a tendency to test the extremes and capabilities of any new security device.

  • It minimizes network latency, as no Layer 3 routing is required once a session has been established.

Layer 2 firewalls offer no additional protection in terms of the actual software they run, but rather provide transparency and easy-to-install and de-install procedures.

When configuring firewall load balancing, understanding how the firewall will behave is critical, as the different types will require a different configuration and in some cases cannot be effectively load balanced. Further to this, the "dark art" of firewall load balancing can often create uncertainty when dealing with firewall administrators, as the deployment method often breaks traditional Layer 3 rules. Understanding how the firewall operates will certainly assist you not only in troubleshooting the network but also with ensuring that the firewalls are properly configured to allow for firewall load balancing.



Optimizing Network Performance with Content Switching
Optimizing Network Performance with Content Switching: Server, Firewall and Cache Load Balancing
ISBN: 0131014684
EAN: 2147483647
Year: 2003
Pages: 85

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net