Is Your Load Balancer A Firewall?

Posted by Greg Ferro
May 02, 2012

There are no technical reasons to implement a firewall in front of your load balancers. A load balancer is a firewall in its own right. Of course, so-called security professionals might feel threatened about their livelihoods being attacked and claim you need a firewall (and their services) anyway--but that's a policy problem, not a technical problem.

A working definition of firewall is a device that selectively prevents (or denies) traffic forwarding. A router configured with an access list to filter packets is a "firewall." However, the TCP and UDP protocol unfortunately allows for certain types of packets to bypass an access list, so an access control list (ACL) is generally regarded as a poor firewall.

Modern firewalls use stateful inspection engines to ensure that bidirectional flows are matched to approved connections. That is, the firewall tracks all the IP packets in both directions and ensures that only packets from a valid session are passed through. That's the basic firewall definition. You don't need anything else to meet the minimum expectations of a firewall.

Let's consider how a load balancer works for simple load balancing flow: A TCP flow from the client to the server flows through the load balancer. The load balancer tracks the state of the session and selects which server out of a pool of servers should receive the TCP connection. Any return flows from the servers are modified back into the flow and returned to the user. Clearly, the load balancer has a stateful inspection engine.

What about filtering? It's not difficult for any network device to implement an access list. A load balancer is configured to listen for connections on particular ports, like port 80 and 443, and will ignore all other connections. Sounds a lot like a firewall. When you consider that most load balancer hardware uses merchant silicon from the usual places (such as Fulcrum and Broadcom), you realize that the filtering process is no different from any other router or switch.

Let's consider some of the other "security features" that a firewall implements:

Reverse Path Forwarding (RPF) ensures that IP packets are sourced from the correct interface and prevents spoofing attacks. This previously required specialist hardware to implement at high speed, but today the hardware is commoditized and all firewall software implements RPF. Load balancers perform the same function, just like a firewall.

Another common firewall claim feature is protocol validation. The firewall attempts to check that the TCP packets are formed according to standards. Thus, HTTP data is checked to be valid against IETF RFC 2616. Or DNS queries are compliant to a long list of clearly defined Internet standards. Even IP packets have a number of basic checks to ensure compliance to standards.

Such claims are common among security vendors as "key features," but what they fail to mention is that these features significantly affect firewall performance. The protocol validation is done in software and impairs performance--throughput is low, and significant latency is added to the flow. As a result, the vast majority of firewalls do not enable this feature by default, and most customers are not actually using it.

A load balancer is really just a proxy and often implements protocol validation by virtue of being an application proxy. Load balancers also do this at very high rates of performance.

If you take a look around, you will find that there are no standards that define the function of a firewall. There are some guidelines and recommendations from bodies such as NIST and Common Criteria that discuss the functions of a firewall. A couple of recognized industry bodies like ICSA will do some testing of basic firewall concepts, and the informational RFC 3511 Benchmarking Methodology for Firewall Performance defines some performance tests. However, there are no recognized standards that define firewall requirements.

Frankly, that's a damning statement about how the security industry regulates itself.

Since I need to measure the definition of firewall against industry practice, then it seems clear that a load balancer performs many, if not all, of the same functions as firewall. In my opinion, a load balancer has many more technical features than any firewall.

Greg Ferro is a freelance Network Architect and Engineer. You can email him, follow him on Twitter as @etherealmind. He also has a technical blog at EtherealMind.com and is the co-host of the popular and well known Packet Pushers podcast on data networking. He is nearly as grumpy as Mike Fratto.

Related Reading

---