Load balancing in a network with session information

摘要

Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously established traffic sessions from a particular source to a particular destination and forming an association between the previously established session and a particular FSD, is maintained for each port of a session-aware switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a DoS attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN/ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD.

主权项

1. A method comprising:
maintaining, by a session-aware switching device, for each of a plurality of ports of the session-aware switching device, session data including a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the session-aware switching device; responsive to receiving, at a first port of the plurality of ports of the session-aware switching device, a Transmission Control Protocol (TCP) SYN packet of a forward traffic session from a source device directed to a target device:
reducing vulnerability of the session-aware switching device to a denial of service (DoS) attack, by the session-aware switching device, by foregoing installation of a forward session entry for the forward traffic session within the session data for the first port;selecting, by the session-aware switching device, a firewall security device from among the plurality of firewall security devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by performing a load balancing function on at least a portion of the TCP SYN packet; andcausing the TCP SYN packet to be processed by the selected firewall security device; responsive to receipt from the selected firewall security device the processed TCP SYN packet on a second port of the session-aware switching device, installing, by the session-aware switching device, a reverse session entry for the corresponding reverse traffic session within the session data for the second port with the target device identified as the particular source device and with the source device identified as the particular destination device; and responsive to receipt from the selected firewall security device a processed TCP SYN/ACK packet associated with the corresponding reverse traffic session on the first port of the session-aware switching device, installing, by the session-aware switching device, the forward session entry for the forward traffic session within the session data for the first port with the target device identified as the particular destination device and with the source device identified as the particular source device.