09:56 AM
Greg Ferro
Greg Ferro
Connect Directly
Repost This

Is Your Load Balancer A Firewall?

If you've already set up a load balancer, do you really need a firewall, too? Our blogger says no.

There are no technical reasons to implement a firewall in front of your load balancers. A load balancer is a firewall in its own right. Of course, so-called security professionals might feel threatened about their livelihoods being attacked and claim you need a firewall (and their services) anyway--but that's a policy problem, not a technical problem.

A working definition of firewall is a device that selectively prevents (or denies) traffic forwarding. A router configured with an access list to filter packets is a "firewall." However, the TCP and UDP protocol unfortunately allows for certain types of packets to bypass an access list, so an access control list (ACL) is generally regarded as a poor firewall.

Modern firewalls use stateful inspection engines to ensure that bidirectional flows are matched to approved connections. That is, the firewall tracks all the IP packets in both directions and ensures that only packets from a valid session are passed through. That's the basic firewall definition. You don't need anything else to meet the minimum expectations of a firewall.

Let's consider how a load balancer works for simple load balancing flow: A TCP flow from the client to the server flows through the load balancer. The load balancer tracks the state of the session and selects which server out of a pool of servers should receive the TCP connection. Any return flows from the servers are modified back into the flow and returned to the user. Clearly, the load balancer has a stateful inspection engine.

What about filtering? It's not difficult for any network device to implement an access list. A load balancer is configured to listen for connections on particular ports, like port 80 and 443, and will ignore all other connections. Sounds a lot like a firewall. When you consider that most load balancer hardware uses merchant silicon from the usual places (such as Fulcrum and Broadcom), you realize that the filtering process is no different from any other router or switch.

Let's consider some of the other "security features" that a firewall implements:

Reverse Path Forwarding (RPF) ensures that IP packets are sourced from the correct interface and prevents spoofing attacks. This previously required specialist hardware to implement at high speed, but today the hardware is commoditized and all firewall software implements RPF. Load balancers perform the same function, just like a firewall.

Another common firewall claim feature is protocol validation. The firewall attempts to check that the TCP packets are formed according to standards. Thus, HTTP data is checked to be valid against IETF RFC 2616. Or DNS queries are compliant to a long list of clearly defined Internet standards. Even IP packets have a number of basic checks to ensure compliance to standards.

Such claims are common among security vendors as "key features," but what they fail to mention is that these features significantly affect firewall performance. The protocol validation is done in software and impairs performance--throughput is low, and significant latency is added to the flow. As a result, the vast majority of firewalls do not enable this feature by default, and most customers are not actually using it.

A load balancer is really just a proxy and often implements protocol validation by virtue of being an application proxy. Load balancers also do this at very high rates of performance.

If you take a look around, you will find that there are no standards that define the function of a firewall. There are some guidelines and recommendations from bodies such as NIST and Common Criteria that discuss the functions of a firewall. A couple of recognized industry bodies like ICSA will do some testing of basic firewall concepts, and the informational RFC 3511 Benchmarking Methodology for Firewall Performance defines some performance tests. However, there are no recognized standards that define firewall requirements.

Frankly, that's a damning statement about how the security industry regulates itself.

Since I need to measure the definition of firewall against industry practice, then it seems clear that a load balancer performs many, if not all, of the same functions as firewall. In my opinion, a load balancer has many more technical features than any firewall.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Malcolm Turnbull
Malcolm Turnbull,
User Rank: Apprentice
12/24/2013 | 11:18:45 PM
re: Is Your Load Balancer A Firewall?
Greg, Nice post and yes you are obviously right.
However as the founder of I was slightly ammused by this post as personally I can't stand customers using load balancers as replacements for a decent firewall. You are perfectly correct in that most load balancers can easily replicate firewall functionality and be perfectly secure. But from an architecture point of view it is much cleaner to have your firewall as a simple single bastion host with no other applications running on it or dependant on it. Also from a maintenance point of view it is usually far better to seperate the functionality of each part of the network i.e. security layer is seperate to application layer (for when you un-doubtably mess up the configuration and break everything). Please note that by seperating functionality I definately do not mean having some crazy 1980s style DMZ structure (a guaranteed way to end up with no security at all, but thats a different story..)
More Blogs from Commentary
Edge Devices Are The Brains Of The Network
In any type of network, the edge is where all the action takes place. Think of the edge as the brains of the network, while the core is just the dumb muscle.
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
VMware's VSAN Benchmarks: Under The Hood
VMware touted flashy numbers in recently published performance benchmarks, but a closer examination of its VSAN testing shows why customers shouldn't expect the same results with their real-world applications.
Building an Information Security Policy Part 4: Addresses and Identifiers
Proper traffic identification through techniques such as IP addressing and VLANs are the foundation of a secure network.
Hot Topics
Converged Infrastructure: 3 Considerations
Bill Kleyman, National Director of Strategy & Innovation, MTM Technologies,  4/16/2014
Heartbleed's Network Effect
Kelly Jackson Higgins, Senior Editor, Dark Reading,  4/16/2014
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed