On Mon, Apr 01, 2002 at 03:33:13PM -0500, tony bourke wrote:
> Hi Ramin,
> I've always been a big proponent of using a load balancer as a firewall.
> As long as you keep up with vendor patches and security alerts, it's a
> pretty secure way to do things. There are certain things that a
> firewall give you that no other device can give, and that is mostly the
> name "firewall" and the fact that firewalls were designed with protection
> in mind. I've configured more than one installation with the
> load balancer acting as the firewall, and I've always been satisfied
> the result. Another alternative would be to use an open source firewall
> on a standard PC, such as Netfilter with Linux or IPFilter with FreeBSD or
> In my opinion, load balancer as firewall gives you about the same
> protection as a ACLs on a router or an open source firewall.
But we've always agreed on this.
Here's the things that a actual stateful inspection firewall will give you
that a LB won't.
1st and most importantly. Logging. Real firewalls produce a LOT more
useful information via logs about the stuff they stop (or let through) than
a LB does.
These can be useful for many things, and may be necessary for others (like
2nd firewalls understand a lot more protocols than LB's do, and can often
times do more useful things with them. If you're doing stuff with RTSP, or
other non 'standard' protocols, a firewall can often times do a lot more
fun stateful stuff than a LB can.
The earliest example of this was FTP. with it's stupid in band port selection.
Firewalls understood and took care of this long before the LB's figured it out.
Now, most LB's handle ftp fine, but there are plenty of other similarly
stupid protocols which a FW is better at handling than a lb.
But if you're just using your FW as a packet filter, then a LB will do that
FW's are also useful for doing stuff like terminating IPsec tunnels, and
doing stateful inspection on the management of that traffic. If htat's the
case a FW can be useful, but it does't have to sit inline with the majority
of traffic. You can have it off to the side.
The Load Balancing Mailing List
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 16:09:09 EST