8-1. Firewall Load Balancing Overview You can implement firewalls to provide security in several ways. Table 8-1 is a quick comparison between a single firewall, a firewall failover pair, and a firewall farm that uses Firewall Load Balancing (FWLB). Table 8-1. Comparison of Firewall AvailabilityAttribute | Single Firewall | Firewall Failover | FWLB |
---|
Cost | Lower. Only one firewall unit is needed. | Medium. Two units are needed. | Higher. At least two firewall units are needed, along with load-balancing devices. | Firewall Points of Failure | One: the firewall itself. | None. The firewall pair can be physically separated. | None. All firewalls are grouped to make up a firewall farm. | Performance | Limited to a single firewall. | Limited to a single firewall. Only one of the pair actively inspects traffic at any time. | Proportional to the number of firewall units. In theory, each can be used to its full capacity with ideal load balancing. | Load Balancing | None. | None. The active unit inspects all connections. | Connections are assigned to firewalls according to a hash function. All units can inspect traffic at the same time. | Reaction to a Firewall Failure | No traffic is forwarded or inspected. | All connections shift to the standby firewall. | New connections are assigned to other working firewalls in the farm. | Additional Hardware Needed | None. | None. | An FWLB device must be present on every side of the firewall farm. With the Catalyst 6500 Content Switching Module (CSM), a single CSM performs FWLB on both (or all) sides of a firewall farm. |
To distribute connections among firewall farm members, FWLB requires an additional load-balancing function on each side of the firewall farm, as illustrated in Figure 8-1. This ensures that connections are distributed across the firewalls and that the inbound and outbound traffic for each connection is always sent to the same firewall. Figure 8-1. Firewall Load-Balancing Concept
You can use the following methods to load-balance firewall traffic, in any combination: Load-balancing software As packets are switched, they are inspected so that new connections can be forwarded through a firewall farm. The following attributes apply to software-based load balancing: - Cisco IOS software (native code only) can be used on the Catalyst 6500 switch platform for IOS Firewall Load Balancing (IOS FWLB), a subset of the Server Load Balancing (IOS SLB) feature. - Firewalls are configured as a firewall farm. - When traffic is routed through the firewall farm, connections are transparently distributed to individual firewalls. - See section 8-2, "Firewall Load Balancing in Software," for complete information.
Load-balancing hardware Load-balancing devices appear as next-hop routers that distribute connections to members of a firewall farm. Firewall connections are load-balanced by embedded hardware with the following attributes: - The Cisco Catalyst 6500 Content Switching Module (CSM) can be used for firewall load balancing as a part of the Accelerated Server Load Balancing (ASLB) feature. - Firewalls are configured as normal server farms. - As traffic is received on an ingress VLAN, the CSM transparently distributes connections to individual firewalls. - See section 8-3, "Firewall Load Balancing in Hardware," for complete information.
Load-balancing appliances External content-switching appliances are placed on each side of a firewall farm. Connections are distributed among the members of the farm according to the following characteristics: - The Cisco Content Services Switch (CSS) family can be used for firewall load balancing. - Firewalls are configured individually; the CSS views them as a list of usable firewalls rather than a firewall farm. - The CSS distributes connections to firewalls according to the destination route and a hash algorithm based on IP addresses. - See section 8-4, "Firewall Load-Balancing Appliance," for complete information.
TIP You can mix different firewall load-balancing methods to distribute the load across a firewall farm. For example, you might use a CSM on the outside edge of the firewall farm to balance inbound connections and IOS FWLB on the inside to balance outbound connections. Combinations of load-balancing technology are completely valid and can be chosen because of funding constraints or the placement of existing network hardware. In this case, however, you should be careful to configure the load balancer on each side of the firewall farm to have compatible and matching load-balancing algorithms and routing information. Otherwise, it is easy to get in a situation where certain firewalls in the farm are handed more connections than others. As well, if the two load balancers aren't configured with matching algorithms, connections might be handed off asymmetrically. The original traffic (forward direction) for a connection might be given to one firewall, and the return traffic is given to another firewall. Neither firewall would be able to inspect the complete connection, causing the connection to fail or become broken. Remember that firewalls receive connection assignments in both directions from both load balancers. (This assumes that firewall load balancing occurs on only the inside and outside interfaces. You can also have firewall load balancers located on more than two interfaces, in the case of demilitarized zones [DMZs] and so on.) |