Internet Load Balancers logo
LiveZilla Live Help
Get Free White Paper

The concept of firewall and its link with load balancers

Firewall is a part of a computer system or network, intended for blocking unauthorized access (or Internet users) to gain access private networks connected to the Internet, particularly intranets. They, at the same time permit authorized communication as well. It is also a device or a set of devices configured either to allow or to stop applications by a given set of rules or criteria. Firewalls could also be carried out in either hardware of software or both together. Messages that enter or leave the intranet go through the firewall helps in examining each message and acts as a block to those that do not meet the security norms.

A firewall is normally located among the protected and unprotected network. It is like a gated network that gives full protection to assess for ensuring nothing private moves out and nothing spiteful gets in.

Having explained the concept of firewall, we will now move on to the section on how it is linked to the firewall.

Load Balancers as Firewalls – How can a load balancer become a firewall?

The load balancer can perform the functionalities of firewalls. Firewalls that support VPNs and IPsec could help in a more secure HA (High Availability) web site. By making use of these technologies, administrators could add security for a world wide presence that evens beyond the encryption or security options. A VPN can be placed on the side of a site of heavy traffic that have the static routes directing the VPN related traffic via the VPN appliance while at the same time the traffic passes through the load balancer.

Setting up of a VPN among the sites in a distributed configuration can take care of security on each of the proprietary communication protocol over the Internet. It thus prevents a hacker from starting a DOS attack.

Let us now look at the functionalities mentioned above in detail.

NAT: The ideal way for a load balancer to become a firewall is to carry out the load balancer in a NAT based SLB architecture (most load balancers implement a NAT based architecture). The load balancer acts like a Layer three routing device and has complete control over the traffic flow, thus upgrading the ability to carry out the security policies. For this, the load balancers should have the configurations that only the preferred ports are allowed to pass through the preferred VIPs.

Port Forwarding:

The concept of port forwarding is particularly useful in organizations that rely on NAT. This concept refers to the change of destination address as well as the port on the packet coupled with regular routing in a Network address translator gateway in order to reach a host within a pretended, typically private - a network based on the port number on which it is received from the origin. It also refers to replaying the packet or stream through a secondary socket to get to the destination preferred.


A Denial of Service (DoS) attack is one that prevents legitimate users from making use of a specified network resource like a web service, web site or a computer system.

Load Balancers and DOS

Load Balancers prevent attack by DoS, apart from securing the network against internal and external attacks like viruses, worms, Trojans, anti-scanning and protocol anomalies. Essentially, multiple computers wherein constant and high data requests could easily use up the bandwidth of the website are likely to have this kind of attack. With data requests, the application online will not be able to do justice of service even to the genuine users. DoS could be verified and detected only by genuine or legitimate users with a single node through a server that answers the computation.

The multiple nodes can take care of handling the high data requests as the load balancer distributes the data requests from various users. Load balancers, wherein the requests are not answered together, but some are delayed to ensure stability of the functions could even implement delay binding.

DMZ – Its link with load balancers and Load Balancers

In relation to firewalls, another important functionality that is performed by Load Balancers is the Demelitarized Zone (DMZ).

In brief, it refers to an area that doesn’t fall under the firewall’s control. In technology terms, it is an area with a mediocre trust level, located among the Internet and a truster internal network and is also called as “perimeter network”. DMZ serves as an additional layer of security to the organziation’s LAN.

Firewalls implement this function in different ways –

  • A few firewalls require the users to type in the IP address of the machine they want to place into the DMZ Other firewalls have a dedicated network port that is be used for any of the network devices for placing in the DMZ.
  • An external attacker has access only to the equipment in the DMZ when compared to any other part of the network.

In relation to load balancing, in order to prevent attacks, the only choice is to place the load-balancer before the firewall or in the DMZ. Placing the load balancer in the DMZ helps in getting rid of security issues at the firewall. Thus, load balancers in a distributed configuration should be able to service DNS requests.