Constructing high-performance firewall load-balancing clusters: practical experience and novel ideas

摘要

Security and performance are probably the top two concerns of web hosting service providers. As available bandwidth of a hosting service is approaching Giga-bits-per-second, low throughput of a single firewall quickly becomes the bottleneck. Constructing a load-balancing cluster of multiple firewall devices seems to be an effective solution. In this paper, we first present a proof-of-concept firewall cluster using web load balancing switches. Our test cluster works; but has major limitations. First, the cluster set-up is too complex to be manageable in a large-scale deployment. Furthermore, the firewall cluster works only in a local area network. It does not work across the wide area network where asymmetric routing is possible. Based on these findings, we propose two novel approaches. The first approach introduces a Firewall Cluster Control Protocol (FCCP) for routers to direct network flows to the appropriate firewall device for processing. FCCP simplifies the implementation of firewall clusters by eliminating the load balancing switch requirement. The second approach, called Stateful Packet Forwarding (SPF), allows firewall devices in a cluster to discover the "owner" of a network flow when asymmetric routing occurs. SPF can be potentially used in a geographically distributed firewall cluster.