A firewall sits on a network boundary and protects a network from attacks. As the emerging of cloud computing, IT administrators are migrating their applications to run on virtual machines and move servers to multiple locations. This creates the need to protect networks from multiple network entrances, and protect the servers whether they are on virtual machines or physical hosts, in a corporate data center or in the cloud. IT administrators are also adding a lot more applications and services into their network, which demands much more processing resources for a firewall to handle the traffic. Traditional firewalls are designed to run on a single appliance, protecting one entrance to the network, and they cannot scale well to protect networks when the IT industry is moving to cloud computing.
Some of the conventional designs run multiple firewall instances on separate virtual machines, and use a central management service to manage their distributed firewall instances. However, the separation of these firewalls has one major drawback: it needs a centralized load balancer to distribute the traffic to each firewall. Without the load balancer, if a connection requires Network Address Translation (NAT), the returned traffic may go to a different firewall instance which then needs to forward the packets back to the original firewall instance. This costs either significant CPU and network resources or creates a single point of failure on the centralized load balancer.
FIG. 1 is a block diagram illustrating a traditional distributed firewall. Referring to FIG. 1, traditional distributed firewall 100 includes many firewall subsystems 101-105. Each firewall subsystem runs all the functions, including I/O function 106, security processing function 107, and service processing function 108, on a single virtual machine. There could be a central management system 109 to coordinate functions 106-108 among firewall subsystems 101-105. However, there is a major drawback to this architecture in that it needs a big firewall load balancer 110 to load balance the traffic among these firewall subsystems 101-105. This requirement creates a single point of failure and increases system cost. It also eliminates the benefit of distributed I/O functions since all traffic needs to go through the centralized firewall load balancer 110.