Common Firewall Issues in the Datacenter and How to Resolve Them
Firewalls are a vital component of securing your networks, however they often are a challenge to configure even for the most experienced server administrators. This is why datacenter professionals need to be able to follow best practices for server operations while also being able to effectively handle firewall issues as they come up. As discussed in an article from Site24x7, having your servers operating at optimal performance is crucial to the success of any project.
Since tuning your server can occasionally result in conflicts with your firewalls, this guide is designed to help resolve common issues which can come up in the field.
Solving Connectivity Issues
Netstat
On many Windows systems, you can use the netstat tool to resolve connectivity issues by determining whether an application is really listening to the IP address you are expecting it to be on. Netstat is versatile so there are more commands than can be referenced here, but About.com has a complete guide on their site. Technically Linux systems also have this utility built in, however it is deprecated due to it being replaced by ss which is a component of iproute2.
In the case of troubleshooting connectivity issues with your firewall. For example, the -a -n -o~combination of parameters allows you to view which processes are being run on open ports. By using the –b parameter, you can also have friendly names for each process shown. This command can be useful for determining which ports are being used by different software packages, allowing you to adjust your firewall settings accordingly.
Sometimes server issues are not due to individual server issues. Sometimes you might find that one system has a different experience than another even if both machines are on the same network. By using the –r parameter you can pull up the routing table and make sure that packets are being routed to the appropriate systems.
The final major useful aspect of netstat is the ability to view the fully qualified domain names of foreign addresses. Since mistyped addresses and domains can throw off firewall rules, this command can be used to help pinpoint the exact cause of your connectivity issues.
Iproute2
The successor to netstat on Linux systems, iproute2 is a collection of utilities to control TCP and incoming UDP IP networking and traffic control in the Linux kernel. Iproute2 contains a collection of tools such as: ip, ss, bridge, ip, rtacct, rtmon, tc, ctstat, lnstat, nstat, routef, routel, rtstat and arpd. The biggest improvements iproute2 has over netstat is streamlined syntax for many commands. It also includes support for policy-based routing and network namespaces.
To troubleshoot routing table issues with iproute2 is to use the command ip route show. If you need to change the default route for your packets, you can use ip route add default via [IP Address goes here]
Viewing network statistics is another crucial way to determine the status of your network and evaluate areas your firewall may be causing trouble. This is where the ip -s link command can help you by providing you with critical network statistics.
The last major iproute2 command to be discussed in this article is ip monitor all. This command is used to monitor netlink messages and also see the state of your network devices. The command works by showing if devices in your network are STALE or REACHABLE allowing you to determine whether a connectivity issue is specific to a single machine or the entire network.
More information on iproute2 can be found on the official iproute2 website.
Firewall Performance Issues
Since firewalls often contain networking hardware which is slower than the internet pipes they are connected to, adding a firewall to your datacenter architecture can cause significant bottlenecks when bursts of traffic occur. In theory faster hardware can help to solve this, but because firewalls must buffer the traffic and filter packets, there will always be additional latency when using additional hardware. Fortunately the tips below will help you to overcome common performance bottlenecks.
Clean Up Network Traffic
Ensuring outbound traffic is compliant with your company policies is one of the simplest ways to reduce the load on your firewalls. To implement this measure, have your server administrators identify internal servers which are sending out improper requests. From there, then have them reconfigure the systems to not allow that type of traffic.
Handling Incoming Requests
For incoming traffic, you can reduce the burden on your firewalls by filtering unwanted traffic at the router level. This can be done by first identifying inbound dropped requests which fit your desired rules, and then move them to the router as Standard Access Control List (ACL) filters. Although this process can be tedious at times, it is one of the most effective ways to improve network performance.
Simplifying Firewall Rules
One of the easiest ways to improve your firewall performance is to reduce the complexity of your firewall rules. You also should remove unused rules and objects as part of routine housekeeping measures. By using automated tools, you can greatly simplify firewall rule management and complexity to make it a practical endeavor.
The Importance of Following Best Practices
As mentioned in the beginning of this guide, teaching datacenter professionals best practices regarding server administration is crucial to the success of any company. Site24x7 has a listing of common cloud computing certifications which can greatly improve your staff’s efficiency. For additional insights and information on security, the SANS Institute has additional insights and information to help you stay atop of changing trends in this area.
~