Greg Ferro


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Is Your Load Balancer A Firewall?

There are no technical reasons to implement a firewall in front of your load balancers. A load balancer is a firewall in its own right. Of course, so-called security professionals might feel threatened about their livelihoods being attacked and claim you need a firewall (and their services) anyway--but that's a policy problem, not a technical problem.

A working definition of firewall is a device that selectively prevents (or denies) traffic forwarding. A router configured with an access list to filter packets is a "firewall." However, the TCP and UDP protocol unfortunately allows for certain types of packets to bypass an access list, so an access control list (ACL) is generally regarded as a poor firewall.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Modern firewalls use stateful inspection engines to ensure that bidirectional flows are matched to approved connections. That is, the firewall tracks all the IP packets in both directions and ensures that only packets from a valid session are passed through. That's the basic firewall definition. You don't need anything else to meet the minimum expectations of a firewall.

Let's consider how a load balancer works for simple load balancing flow: A TCP flow from the client to the server flows through the load balancer. The load balancer tracks the state of the session and selects which server out of a pool of servers should receive the TCP connection. Any return flows from the servers are modified back into the flow and returned to the user. Clearly, the load balancer has a stateful inspection engine.

What about filtering? It's not difficult for any network device to implement an access list. A load balancer is configured to listen for connections on particular ports, like port 80 and 443, and will ignore all other connections. Sounds a lot like a firewall. When you consider that most load balancer hardware uses merchant silicon from the usual places (such as Fulcrum and Broadcom), you realize that the filtering process is no different from any other router or switch.

Let's consider some of the other "security features" that a firewall implements:

Reverse Path Forwarding (RPF) ensures that IP packets are sourced from the correct interface and prevents spoofing attacks. This previously required specialist hardware to implement at high speed, but today the hardware is commoditized and all firewall software implements RPF. Load balancers perform the same function, just like a firewall.

Another common firewall claim feature is protocol validation. The firewall attempts to check that the TCP packets are formed according to standards. Thus, HTTP data is checked to be valid against IETF RFC 2616. Or DNS queries are compliant to a long list of clearly defined Internet standards. Even IP packets have a number of basic checks to ensure compliance to standards.

Such claims are common among security vendors as "key features," but what they fail to mention is that these features significantly affect firewall performance. The protocol validation is done in software and impairs performance--throughput is low, and significant latency is added to the flow. As a result, the vast majority of firewalls do not enable this feature by default, and most customers are not actually using it.

A load balancer is really just a proxy and often implements protocol validation by virtue of being an application proxy. Load balancers also do this at very high rates of performance.

If you take a look around, you will find that there are no standards that define the function of a firewall. There are some guidelines and recommendations from bodies such as NIST and Common Criteria that discuss the functions of a firewall. A couple of recognized industry bodies like ICSA will do some testing of basic firewall concepts, and the informational RFC 3511 Benchmarking Methodology for Firewall Performance defines some performance tests. However, there are no recognized standards that define firewall requirements.

Frankly, that's a damning statement about how the security industry regulates itself.

Since I need to measure the definition of firewall against industry practice, then it seems clear that a load balancer performs many, if not all, of the same functions as firewall. In my opinion, a load balancer has many more technical features than any firewall.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Next Gen Network Reports

Research and Reports

Network Computing: April 2013



TechWeb Careers