Share Email Print

Proceedings Paper

Constructing high-performance firewall load-balancing clusters: practical experience and novel ideas
Author(s): Lebin Cheng; Yan-Fa Li; Brian Jemes; Samuel Horowitz
Format Member Price Non-Member Price
PDF $14.40 $18.00
cover GOOD NEWS! Your organization subscribes to the SPIE Digital Library. You may be able to download this paper for free. Check Access

Paper Abstract

Security and performance are probably the top two concerns of web hosting service providers. As available bandwidth of a hosting service is approaching Giga-bits-per-second, low throughput of a single firewall quickly becomes the bottleneck. Constructing a load-balancing cluster of multiple firewall devices seems to be an effective solution. In this paper, we first present a proof-of-concept firewall cluster using web load balancing switches. Our test cluster works; but has major limitations. First, the cluster set-up is too complex to be manageable in a large-scale deployment. Furthermore, the firewall cluster works only in a local area network. It does not work across the wide area network where asymmetric routing is possible. Based on these findings, we propose two novel approaches. The first approach introduces a Firewall Cluster Control Protocol (FCCP) for routers to direct network flows to the appropriate firewall device for processing. FCCP simplifies the implementation of firewall clusters by eliminating the load balancing switch requirement. The second approach, called Stateful Packet Forwarding (SPF), allows firewall devices in a cluster to discover the 'owner' of a network flow when asymmetric routing occurs. SPF can be potentially used in a geographically distributed firewall cluster.

Paper Details

Date Published: 26 July 2001
PDF: 8 pages
Proc. SPIE 4527, Technologies, Protocols, and Services for Next-Generation Internet, (26 July 2001); doi: 10.1117/12.434426
Show Author Affiliations
Lebin Cheng, Hewlett-Packard Co. (United States)
Yan-Fa Li, Hewlett-Packard Co. (United States)
Brian Jemes, Hewlett-Packard Co. (United States)
Samuel Horowitz, Hewlett-Packard Co. (United States)

Published in SPIE Proceedings Vol. 4527:
Technologies, Protocols, and Services for Next-Generation Internet
Anura P. Jayasumana; V. Chandrasekar, Editor(s)

© SPIE. Terms of Use
Back to Top