Yes, is the very short answer.
But, is it the right question?
This blog comes from a very interesting chat I had recently with a solutions engineer. We've been talking about how easy it was to load balance web filters, and how frustrating it was when customers insisted they must deploy them inline...
Actually, it was more of a joint rant about things that really annoyed us — and web filters in bridge mode was definitely one of those things that drives us both nuts.
Network Security devices such as firewalls, WAF, SWG, IPS etc. are often deployed inline with bridge mode. Which has two major problems:
- How fast can a single security appliance go?
- And, what happens when it fails?
If your network bridge fails open — do you feel secure?
The guy I was talking to had a customer with a single web filter in bridge mode, who wanted to upgrade the capacity from 10G to at least 40G. But the security vendor's largest model only supported 20G...
Now, this sounds just like the kind of Performance and Availability problem that load balancers solve... So I said, "That sounds easy, just use a load balancer and put two or three web filters in a transparent cluster — What's the problem?"
And he said, "Well obviously — but the customer refuses to take it out of bridge mode!"
Then he said, "Have you ever heard of Niagara Networks?"
They have a really cool solution to the inline bridge problem:
This powerful piece of hardware can load balance multiple security devices in bridge mode at wire speed, and therefore aggregate multiple web filters together to meet huge throughput demands up to 100G+. This is a serious carrier grade piece of kit, which can also do bypass and active TAPs...
It can also intelligently split out just the web traffic, detect appliance failure, and re-balance the load as required. I won't go into all the details, but from what I've read it's a very capable piece of kit.
He then started telling me about how the Niagara Networks device had solved the customer's problem effortlessly. It was very easy to use, install and understand. And most importantly everyone was happy with the outcome.
In fact, I was so impressed, I got a bit worried about future business with this partner. So I said, "Wow that sounds great — So are you going to stop using load balancers now?"
Luckily, he just laughed and said,
"Errr no — These things are really nice, but they are not cheap!"
Here at Loadbalancer.org, we work with all the major web filter vendors. If you are interested in how we help you scale web filters to 100G+ just give us a call. Or you can read about our clever explicit non-inline load balancing technique here.