Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Similar documents
Polycom. RealPresence Ready Firewall Traversal Tips

Creating a VPN with overlapping subnets

Chapter 11 Cloud Application Development

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Check Point Software Technologies LTD. Creating A Generic Service Proxy (GSP) Using Network Address Translation (NAT)

Layer 2 Networking. Overview. VLANs. Tech Note

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewall Defaults and Some Basic Rules

Configuring IP Load Sharing in AOS Quick Configuration Guide

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

SonicWALL NAT Load Balancing

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Cisco PIX vs. Checkpoint Firewall

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Multi-Homing Security Gateway

INTRODUCTION TO FIREWALL SECURITY

Security Technology: Firewalls and VPNs

Linux Routers and Community Networks

Serial Deployment Quick Start Guide

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Application Note. Lync 2010 deployment guide. Document version: v1.2 Last update: 12th December 2013 Lync server: 2010 ALOHA version: 5.

SonicOS Enhanced 4.0: NAT Load Balancing

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

GregSowell.com. Mikrotik Security

Load Balancing Barracuda Web Filter. Deployment Guide

Chapter 3 Security and Firewall Protection

allow all such packets? While outgoing communications request information from a

Server configuration for layer 4 DSR mode

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Source-Connect Network Configuration Last updated May 2009

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Network Security - ISA 656 Firewalls & NATs

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewalls P+S Linux Router & Firewall 2013

Lesson 5: Network perimeter security

ASA/PIX: Load balancing between two ISP - options

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

21.4 Network Address Translation (NAT) NAT concept

McAfee Next Generation Firewall (NGFW) Administration Course

Firewall Design Principles

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

IP Ports and Protocols used by H.323 Devices

NAT REFERENCE GUIDE. VYATTA, INC. Vyatta System NAT. Title

- Introduction to Firewalls -

Scenario 1: One-pair VPN Trunk

CSCI Firewalls and Packet Filtering

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

VMware vcloud Air Networking Guide

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Load Balancing Bloxx Web Filter. Deployment Guide

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Chapter 9 Firewalls and Intrusion Prevention Systems

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CSCE 465 Computer & Network Security

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Enabling NAT and Routing in DGW v2.0 June 6, 2012

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

UIP1868P User Interface Guide

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

DMZ Network Visibility with Wireshark June 15, 2010

CS Computer and Network Security: Firewalls

nexvortex Setup Guide

VPN Tracker for Mac OS X

8. Firewall Design & Implementation

FIREWALL AND NAT Lecture 7a

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

How To Pass The Information And Network Security Certificate

Firewall Architecture

Voice Over IP and Firewalls

Networking Security IP packet security

Load Balance Mechanism

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Bandwidth-based load-balancing with failover. The easy way. We need more bandwidth.

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Transcription:

Application Note Stateful Firewall, IPS or IDS Load- Balancing Document version: v1.0 Last update: 8th November 2013

Purpose Improve scallability of the security layer Limitations when Load-Balancing firewalls Firewall Load-Balancing is a complex task. Please bear in mind the current document introduces the most common required features. Please keep in mind the few points below: Unfortunatelly, VPN endpoints can t be load-balanced unless the firewalls NAT the VPN traffic with a local IP address known by the Load-Balancer Only deterministic load-balancing algorithm using source or destination IPs, or both, are compatible with stateful firewall load-balancing It is not recommended to translate addresses (NAT) with such infrastructure. That said, the current document will introduce it, so you will see how complicated the rules can be There must be a single default gateway per firewall Each firewall load-balancing project is different and this document is not exhaustive, so don t hesitate to contact Exceliance through pre-sales or support team before starting Complexity Versions concerned Aloha 5.5 and above Changelog 2013-10-16: Initial Version Page 2 of 11

Introduction Nowadays, Firewalls are not only layer3 / layer4 packet inspectors. They also bring features such as intrusion prevention/detection system (IPS/IDS), anti-virus, anti-spam, content filtering, etc... These processes consume a lot of resources and a single Firewall is most of the time not powerful enough. Many of them must be deployed and used in parallel to handle the traffic load. Those firewalls must be stateful: they keep track of network streams states which cross them. It means both ways of communication must pass through the same firewall, otherwise traffic not corresponding to an initialized state will be discarded by the other firewalls. Synopsis When Load-Balancing stateful firewalls, one must load-balance traffic per DMZ, with Load-Balancers on both public and private side (for each DMZ). Diagram and flows The Load-Balancer must be configured in Direct Server Return (DSR) mode, also known as gateway. The core routers must route traffic to the Public load-balancer Virtual IP. In the meantime the default gateway for all application servers in the DMZ (or internal) must be configured with the Load-Balancer Virtual IP. Page 3 of 11

Diagram The diagram below shows how the Load-Balancers and the Firewalls are connected. Flows On the diagram above, we can see both incoming and outgoing traffic through the different pieces of the architecture. There are basically 6 steps for each connection crossing the platform: 1. incoming connection is routed to the public LB by the core network routers 2. the public LB chooses a FW based on its configuration then forward the connection to it 3. the FW gets the connection, analyses it then forward it to the application server 4. the application server answers through its default gateway, the DMZ LB 5. the DMZ LB forwards the response to the FW which managed the incoming connection (remember, stateful FW...) 6. the FW can forward the packet to the client, without passing through the public LB. Page 4 of 11

Configuration examples In order to properly load-balance Firewalls, you must configure 2 features in the Aloha Load- Balancer: 1. Flow Manager: used to describe flows to apply load-balancing on 2. Layer 4 LB: load-balancing itself, choose the right firewall using the appropriate hash, and perform health checking The Load-Balancers are deployed using a single network interface, named eth0. These examples could also apply on Bonding and Vlan interfaces as well. Page 5 of 11

Standard configuration without NAT In this mode, there is no NAT, hence we can use a hash on both source and destination IP addresses. public LB The public LB has to balance incoming traffic from external clients to FWs. Hence, here is the flow manager configuration describing it: flow f_firewall Below, the corresponding Load-Balancing configuration: server firewall1 192.168.15.251 weight 10 check server firewall2 192.168.15.252 weight 10 check dmz LB The dmz LB has to balance outgoing traffic from internal servers to external clients. Hence, here is the flow manager configuration describing it: flow f_firewall Below, the corresponding Load-Balancing configuration: server firewall1 192.168.115.251 weight 10 check server firewall2 192.168.115.252 weight 10 check Page 6 of 11

Outbound NAT required Outbound NAT may be required to allow some internal servers to access third party services on the internet, such as software updates. Basically, the application server IP address will be NATed to the Firewall IP address (this could be any other IP address hosted on the Firewall). So load-balancing outgoing traffic (on the DMZ LB) using the default rule (with the source+destination hash) is fine since the new public IP address will be re-used to route incoming traffic by the Public LB. Incoming traffic will be simply routed by the public LB to the IP address hosted by the Firewall. The current example explains how to allow the application servers to go out on internet. Of course, the Firewall must be configured to allow some ports and to NAT this traffic. public LB The public LB has to route incoming traffic based on the destination IP, which is the Firewall one (or any other known IP hosted by the Firewall). The flow manager has to match this traffic before the standard rule (which matches everything). Below, the corresponding Flow Manager configuration: # exception rules for IPs dedicated to outbound NAT flow f_fw_out permit dst 192.168.15.251 dst 192.168.15.252 flow f_firewall Below, the corresponding Layer 4 LB configuration: server firewall1 192.168.15.251 weight 10 check server firewall2 192.168.15.252 weight 10 check dmz LB Below, the corresponding Flow Manager configuration: flow f_firewall Below, the corresponding Layer 4 LB configuration: Page 7 of 11

server firewall1 192.168.115.251 weight 10 check server firewall2 192.168.115.252 weight 10 check Page 8 of 11

Inbound NAT required Inbound NAT may be required to give access to services hosted on a private IP address: the Firewall has to translate a public IP address to the private IP address of the server in the DMZ. We can only rely on the external IP address, the one from the client, since the destination IP address will be changed by the Firewall from a public one to a private one. The current example explains how to give access to the web server hosted on the private IP address 192.168.115.11 through the "public IP" 192.168.116.11. Each time you need to open a new service to the outside world, you have to update the Firewall configuration and the LB as well public LB The public LB has to balance incoming traffic based on the external IP using a source hash algorithm. The flow manager has to match this traffic before the standard rule (which matches everything). This is basically all the traffic with destination port TCP 80 and the desired IP as the destination IP (192.168.116.11 in our case): flow f_fw_in director d_fw_in dst 192.168.116.11 proto tcp dstport 80 flow f_firewall Below, the Load-Balancing configuration corresponding: # source ip hash for inbound NAT director d_fw_in balance source server firewall1 192.168.15.251 weight 10 check server firewall2 192.168.15.252 weight 10 check server firewall1 192.168.15.251 weight 10 check server firewall2 192.168.15.252 weight 10 check We can rely only on the source address, since the server address (destination) will be NATed by the FW. Page 9 of 11

dmz LB The dmz LB has to balance outgoing traffic from the internal web server external clients. Hence, here is the flow manager configuration describing it: flow f_fw_in director d_fw_in src 192.168.115.11 proto tcp srcport 80 flow f_firewall Below, the Load-Balancing configuration corresponding: # destination ip hash for inbound NAT director d_fw_in balance dest server firewall1 192.168.115.251 weight 10 check server firewall2 192.168.115.252 weight 10 check server firewall1 192.168.115.251 weight 10 check server firewall2 192.168.115.252 weight 10 check We can rely only on the destination address, since the server address (source) will be NATed by the FW. Page 10 of 11

Both Inbound and Outbound NAT Of course, both outbound and inbound NAT can be performed at the mean time, but remember a "full NAT" (NATing both source and destination of a single flow) is easily doable. To do both at the same time, simply append IN and OUT rules BEFORE the generic rule at the end. Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information