The progress of Web exchange technology not only optimizes the Web server, but also can be used to solve some problems caused by the current firewall.
Although firewalls are highly efficient at preventing network intrusions and have become a key factor in submitting secure Web sites and services, all of these security is achieved at a high cost. In short, firewalls limit performance and scalability. Because a firewall is an online device that causes a single point of failure, it reduces the availability of the network.
Combining firewall technology with emerging Web exchange technologies can greatly improve the performance, availability, and scalability of firewalls.
The most common firewall consists of software installed on a single server. Two network cards are installed on this server and are plugged into the data path. One of the cards is connected to the public side of the network, and the public side is usually the Internet-connected router (the "unclean" side of the so-called firewall). Another network card is connected to the resource that must be protected (the "clean" side of the so-called firewall).
Firewalls are installed on the data path, thus limiting the performance and scalability of the network because all data flows through the unclean and cleaning ends must flow through the firewall. The firewall uses filtering technology and other policies that are predetermined by network administrators to check each packet.
The problem is that the most appropriate processing structure for a firewall is not suitable for checking high-capacity packets. Extending the firewall's performance is difficult because it often involves costly upgrades: using higher-performance configurations and servers that currently feature the most powerful processors.
The emerging Web switching technology is widely regarded as a solution to extend the firewall capacity and improve the overall usability of the firewall device. When implementing firewall load balancing, you need to use two Web switches: one on the clean side of the firewall and the other on the unclean side. Each Web switch flows the incoming IP through the corresponding Web switch that the firewall sends to the other end. This enables the load balancing on several firewalls, so that the firewall can run in parallel, extending the performance of the firewall and eliminating the possibility of a firewall becoming a single point of failure.
Unlike traditional packet switches, web switches have the ability to maintain different TCP sessions that are transmitted over Ethernet and Gigabit Ethernet rates. Because the firewall is a stateful (stateful) device, all packets associated with the establishment of the session flow through the same firewall. The web switch intelligently maintains state information about the data stream flowing through the firewall, thus ensuring that all data streams that are transmitted between the specific IP source/destination address pairs flow through the same firewall. This, in turn, guarantees the session continuity established by the firewall.
Firewall load balancing technology can also be used to reduce the amount of data flow filtering that firewalls need to complete, which is the main advantage of implementing the demilitarized Zone (DMZ) technology. In the DMZ, save resources like the Internet for Web servers that require public access. Web switches need to have data flow filtering capabilities to determine which packets should be routed to the DMZ and which should go through the firewall. Removing the filtering function from the firewall greatly improves the performance of the firewall and speeds up the user data flow.
The web switch is configured to allow or deny access to the filters that are accessed by the DMZ server in such a way that two levels of security are implemented: the first level restricts access by using a filter configured on the Web switch, and another level restricts access through stateful checks by the firewall.
To maintain the high availability of the firewall, the Web switch monitors the "health" of the firewall by sending a forced response command (ping) continuously to each port on the corresponding web switch on the other end of the firewall. If a firewall or web switch port fails, the data flow is assigned to the remaining "health" web switch ports and associated firewalls.
Firewall load Balancing leverages the new Web switching technology to solve many of the performance problems and scalability problems caused by firewalls. This technology enables firewalls to run in parallel without significant upgrades, greatly improving efficiency, extending performance, and eliminating the possibility of a firewall becoming a single point of failure.