Last updated Sep 10th, 2021 by Michael Hamelin

A recent article from by John E. Dunn caught my attention. John reports that DDoS attacks are made worse by misplacement of modern stateful firewalls. I don't entirely agree with that assessment – sometimes the right firewall architecture and technology can be used effectively to withstand DDoS attacks. But he brings up a good discussion point: Every device we install in our network involves a risk vs. reward tradeoff.

If you've known me for long, then you already know that I don't think there is a need for firewalls in front of certain websites.  When you're designing a high performance or high concurrent-user web environment, the risk of a firewall often outweighs the benefits. If you build your DMZ with a screening router and front-end your web servers with a load balancer, then you do not need a firewall.

Let's look at the technology.  Your router should employ some basic ACL filtering. Only pass the protocols you need into your DMZ; 2-3 protocols will likely do it. Your load balancer is now your connection point for clients. If the load balancer is properly configured, it will only pass the protocol through to your web servers that you have attached to your Virtual IPs (VIPs).  If you only build a VIP for HTTP(s) then you are all set - firewalling accomplished - your servers will only receive HTTP(S) traffic from the Internet.

The advantage here is that your load balancer is designed to handle many, many, many more connections than your firewall. It's also designed to offload your webserver from handling these connection setups and thus will scale much better under a DDoS attack. The risk you have mitigated is that the firewall's state table will fill up during a DDoS attack and cause an outage to your website. You will sacrifice some things as well - you will not be using the latest application level filters in today's firewalls, and you will not be writing granular access rules. ACLs on routers need to be short and fast.

Truth is, I've been recommending and building web farms using this method for years.  We just tell the auditor the load balancer is the Policy Enforcement Point (PEP) and never use the word firewall.  If they ask about firewalls, I always refer back to PEPs.  The fact is, many things are actually firewalls; they control connections, limit risk, and provide boundaries for trust. For example, your SPAM filter is simply an application level firewall for email, so why not use a load balancer as your web farm firewall?

So when the risk of the firewall outweighs the rewards of its filtering rethink your solution. Does this mean you should stop using firewalls? No way. They are your defensive perimeter.  Web farms without firewalls in front of them had better have firewalls between them and the rest of your infrastructure.