Re: [load balancing] eliminating the firewall

From: Alex Samonte (
Date: Mon Apr 01 2002 - 16:00:56 EST

  • Next message: Ramin K: "Re: [load balancing] eliminating the firewall"

    On Mon, Apr 01, 2002 at 03:33:13PM -0500, tony bourke wrote:
    > Hi Ramin,
    > I've always been a big proponent of using a load balancer as a firewall.
    > As long as you keep up with vendor patches and security alerts, it's a
    > pretty secure way to do things. There are certain things that a
    > firewall give you that no other device can give, and that is mostly the
    > name "firewall" and the fact that firewalls were designed with protection
    > in mind. I've configured more than one installation with the
    > load balancer acting as the firewall, and I've always been satisfied
    > the result. Another alternative would be to use an open source firewall
    > on a standard PC, such as Netfilter with Linux or IPFilter with FreeBSD or
    > Solaris.
    > In my opinion, load balancer as firewall gives you about the same
    > protection as a ACLs on a router or an open source firewall.


    But we've always agreed on this.

    Here's the things that a actual stateful inspection firewall will give you
    that a LB won't.

    1st and most importantly. Logging. Real firewalls produce a LOT more
    useful information via logs about the stuff they stop (or let through) than
    a LB does.

    These can be useful for many things, and may be necessary for others (like
    a IDS).

    2nd firewalls understand a lot more protocols than LB's do, and can often
    times do more useful things with them. If you're doing stuff with RTSP, or
    other non 'standard' protocols, a firewall can often times do a lot more
    fun stateful stuff than a LB can.

    The earliest example of this was FTP. with it's stupid in band port selection.
    Firewalls understood and took care of this long before the LB's figured it out.
    Now, most LB's handle ftp fine, but there are plenty of other similarly
    stupid protocols which a FW is better at handling than a lb.

    But if you're just using your FW as a packet filter, then a LB will do that
    job fine.

    FW's are also useful for doing stuff like terminating IPsec tunnels, and
    doing stateful inspection on the management of that traffic. If htat's the
    case a FW can be useful, but it does't have to sit inline with the majority
    of traffic. You can have it off to the side.


    The Load Balancing Mailing List
    MRTG with SLB:
    Hosted by:

    This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 16:09:09 EST