Got a Job to Do

Those are examples of situations where using a load balancer to distribute traffic to the servers, as well as protect them, would be both financially and logistically advantageous. Most load balancers can push hundreds of Mbps worth of traffic while providing firewall functionality to a site, without any performance hit.


Figure 1. Typical FWLB Scenario

There are several functions that a real firewall provides a site, some of which can be provided by a load balancer. The typical uses of a firewall are as follows:

All these are functions that firewalls can provide. But which of them do you really need, and which ones can load balancers provide? Let's take a look.

Most load balancers by their very nature provide both packet filtering and stateful inspection. Load balancers can be setup so that only a desired TCP/UDP port or ports are load balanced, such as TCP port 80 for Web traffic, which provides the packet filtering functionality. And because load balancers do so much on the network level, they also already keep TCP state information, and can make decisions based on state.


Visit security.oreilly.com for a complete list of O'Reilly books on computer security.

VPN can provide a necessary security function, but there is usually no reason why a VPN device should be in the direct path of a site's traffic. A VPN device can be placed along side of a heavily trafficked site, with static routes directing VPN related traffic through the VPN appliance while the main traffic traverses the load balancer. This lower traffic level can allow a much less expensive device to be purchased, since it will only see a fraction of the traffic it otherwise would, such as in Figure 2:

Figure 2. VPN out-of-path traffic
Figure 2. VPN out-of-path traffic

Virus checking isn't usually required for a Web site. It's more of an office network application, keeping viruses out of worker's email boxes. IDS can be done separately from the active network, and is a fairly high-end requirement. Many IDS implementations involve "sniffing" or monitoring traffic on a network by plugging into a mirror or span port. If IDS functionality is required, then a separate IDS box can be purchased and set up to sniff a mirrored port in order to watch over the network.

The critical functionality is the packet filtering and stateful inspection. The other functions may be good to have, depending on a site's needs, but if you are on a budget or have a bandwidth-intensive site, packet filtering and stateful inspection may be the only features you need. They keep your machines secure by only allowing traffic through to the appropriate ports, and blocking anything else--the most common firewall functionality.

Be the Firewall

The most effective way for a load balancer to become a firewall is to implement the load balancer in a NAT-based SLB architecture. This type of set-up is covered extensively in my book Server Load Balancing. In this scenario, the load balancer acts as a Layer 3 routing device, and has total control over the traffic flow, giving it the ability to enforce security policies. Most load balancers have the capability to implement a NAT-based architecture.

In a NAT-based scenario, the Virtual IPs (VIPs) for the load balancer are on the public subnet, with publicly routed IP addresses, while the real servers are typically sitting on a private subnet with a nonrouted RFC 1918 address space (such as 10.0.0.0/8, 172.16.0.0/16, etc.) In Figure 3, we see an example of a NAT-based implementation, with 192.168.0.0/24 representing a publicly routed untrusted network (even though it is an RFC 1918 address space--it's just for our example), and 10.0.0.0/24 representing the internal private network.

Figure 3. NAT-based SLB Implementation
Figure 3. NAT-based SLB Implementation

With NAT-based SLB, we have the capability to implement security policies. To set them up, the load balancer must be configured in such a way that only the desired ports are let through on the desired VIPs. This depends on the load balancer, but in most cases this can be done with by using a very specific VIP configuration. Many load balancers also offer packet filters, but most of the time you don't even need to use that capability. Configuration of the VIPs in a certain way will provide the packet filtering automatically.

With the Cisco CSS series of load balancing switches running their WebNS software, for instance, if a VIP is configured with a port and protocol specified, then everything else is blocked. The configuration below shows a Cisco content rule named vip-1, with four Web servers (ws-1 through ws-4) configured on a VIP address of 192.168.0.200. With the protocol and port directive, only traffic on port 80 will be allowed through:

  content vip-1 
    protocol tcp
    port 80
    vip address 192.168.0.200 
    add service ws-1 
    add service ws-2 
    add service ws-3 
    add service ws-4

If you wanted to also allow HTTPS traffic through, you'd just need to add another content rule:

  content vip-1-https 
    protocol tcp
    port 443
    vip address 192.168.0.200 
    add service ws-1 
    add service ws-2 
    add service ws-3 
    add service ws-4

Now both port 80 (HTTP) and port 443 (HTTPS) traffic are allowed through to the Web servers, but everything else will be blocked in a NAT-based implementation.

Let's say you now wanted to browse the Web servers individually. To do this you would need to set up pass-through instances, which is a concept also covered in Server Load Balancing. The following code shows an example of setting up pass-through instances for the first two Web servers:

content ws-1-http
    protocol tcp
    port 80
    vip address 192.168.0.100 
    add service ws-1  

content ws-2-http
    protocol tcp
    port 80
    vip address 192.168.0.101 
    add service ws-2

If you need to have access to these machines via SSH, you could use a back-end connection (such as a back-end T1), a VPN connection, or even create a separate instance to allow port 22 through:

content ws-1-ssh
    protocol tcp
    port 22
    vip address 192.168.0.100
    add service ws-1 

It's also possible to restrict access from only certain subnets to various ports using the ACL functionality of the Cisco CSS series. An example would be to allow everyone access to port 80 (HTTP), but only allow access from a specific subnet for port 22 (SSH) for administration. However, the ACLs are not a requirement to make the Cisco CSS an effective firewall, the configuration shown above provides that functionality by itself. Of course, when the configuration is completed, you should always double-check the port blocking with a port scan of the configured VIPs.

Cisco's CSS series isn't the only load-balancing vendor that can pull this off. I've successfully used the following load balancers in a firewall-type role:

I'm sure there are others out there as well; these are just the ones I've personally used and configured in a firewall role.

To Firewall, or Not to Firewall

Obviously, this isn't going to be the right solution for everybody. Load balancers were not specifically designed to be firewalls, and were not built to such strict security standards. Sites like banks and other high-security institutions usually have a board or government-level mandate to use a specific security standard, including firewalls.

That being said, given budget constraints and traffic-level requirements, using your load balancer as a firewall can be an effective security solution. Fortunately, some load balancers can perform this double role and fill in as firewalls, saving money and avoiding complexity. However, it's up to every site's administrators to decide what's in the best interest of the site, so be sure to carefully examine all of the relevant issues.


Tony Bourke is a private consultant specializing in Unix administration, networking, and load balancing. He has held positions at SiteSmith, GlobalCenter, and Digex. Tony has designed and implemented SLB and Unix architectures for many high-profile and high-traffic Web sites. He has published articles in Sys Admin Magazine, Hostingtech Magazine, and Network World. He is one of the leading authorities on the topic of server load balancing and frequently speaks at conferences around the U.S. He can be reached at tony@vegan.net.


O'Reilly & Associates recently released (August 2001) Server Load Balancing.