Home Page


Firewall Topics

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which Network Firewall?

Zero Day Protection



Load Balancing and Link Balancing Tutorial Guide



Load Balancing

Some firewall come with the ability to load balance traffic to two or more back end servers. The load balancing feature is designed to help increase performance, scaleability and availability of high traffic environments. The load balancing feature either comes integrated in a firewall or can be purchased as a dedicated Load balancing appliance. These dedicated appliance are also sometimes called Application Delivery Controllers.

A Load balancer is a device which distributes traffic load to a number of servers. For example if a company’s SMTP server was overburdened with maximum email throughput, and rightfully decide to invest into a second SMTP server to help out with the processing load, they would use a load balancer to send email traffic to both SMTP servers. The amount of traffic the load balancer will send over to each SMTP server will depend on the algorithm used and settings defined.

A load balancer can also do other clever things such as if one of the servers failed and stopped functioning, the load balancer will detect this problem and allocate the entire load to the other server or servers that are maintaining high availability. So it has the ability to monitor the status of the servers as well as adding and removing them from the logical group of servers it is distributing a type of traffic load to, such as SMTP traffic.

Load Balancers also have the ability to provide persistence support which allows a user to maintain their connection with the same server. This feature is required when the servers are hosting some type of ecommerce site. The load balancer will ensure they are using the same server from when the end user is purchasing goods via an online shopping cart to the actual purchase of the goods or services.

Also load balancers can provide cookie persistence. This is when users login to a website, the load balancer sends a cookie which is stored within the end user’s machine. This cookie stores the users login credentials (usually encrypted and in memory), this will enable the user to roam the website freely without re-logging in again. The cookie will usually have a time limit, and once this expires the user will then have to re-login.

Load balancers distribute traffic to a number of servers depending on the algorithm used. Below are a few common algorithms used to define how much traffic load is sent to a group of servers;

Round Robin

This is the most common algorithm where traffic is distributed equally among all servers. The first connection would be sent to the first server, the second connection will be sent to the next server, third to third server, and so on.

Server Weight

Each server is assigned a weight. The load balancer will send a percentage of traffic to a particular server depending on the weight assigned. For example if server A was assigned a weight of 5 and server B was assigned a weight of 1, then the load balancer will send 5 times more traffic to server A.

Least connection

With least connections the load balancer will send traffic to the server with currently the lowest number of open connections. This is a strategy and technique is to ensure the least busiest server gets to handle the next request and this is worked out by which server has the least open connections.

There are a number of vendors offering load and link balancing products. Barracuda have a load balancer or also known as Application Delivery Controller and a link balancing solution. Fortinet have a UTM firewall with both features built into the single appliance.


Link Balancing

A link balancer will provide the ability to route and manage traffic over multiple internet connections. A link balancing solution would enable a company to have a number of connections either from the same ISP or different ISP’s. A link balancer will be able to manage T1, T3, 3G, DSL and Cable links.

A link balancer managing multiple internet connections can provide many benefits such as;

Providing high availability and automatically failover if a link goes down. Links can be monitored via health checks using tools like ping, HTTP and querying of available ports. Failed links can be taken off the list of available links and continuously monitored. When failed links are back up they are automatically put back into the available links list and assigned traffic when needed. The traffic destined for the failed link will be automatically re-routed to the other available links, though a company will always be connected to the internet.

Providing a link balancing solution where traffic can be evenly distributed to all links, or determined by a defined weight. If a link is saturated the link balancer will use an alternative link.

Providing QOS to critical applications – An administrator can define which applications should be given more priority ensuring critical applications such as Video conferencing and email is not interrupted by other none critical applications such as games and peer to peer applications. Either a percentage of the maximum bandwidth or the actual bandwidth in kilobytes can be assigned to an application.

Aggregate Internet Links – Two or more links aggregated will provide more bandwidth.

Provide authoritative DNS functionality – The ability to create DNS records on the link balancer which will identify their domains in which they can map to their multiple external IP addresses. This way if a link fails, the address which was queried will not be affected as it’s assigned to multiple WAN links.

VPN support – Site to Site VPN’s can be created over two WAN links, and if one link fails, the VPN connection will fail over to the alternative link providing a fault tolerance VPN connection.

Link bonding - Having two link balancers, one at each end, with multiple links, and bonding these together. One is usually at the client site and the other at the ISP. Similar to the Link aggregation protocol, however this is for WAN connectivity.

Some link balancers have other capabilities as well, such as a built in firewall protecting inbound and outbound connectivity with NAT functionality, DHCP server for managing local IP addresses and a DNS caching server for quicker responses to DNS requests.

WAN links for dedicated purposes – The ability to assign a link dedicated to just VPN or critical applications. For example if you had three internet connections, you can assign one of the links just for VPN connectivity, and the other two links for everything else. This way VPN connection will not be affected by other internet traffic.

For further reading, there's some excellent electronic ebooks available for download from eBooks.com