LinkedIn's Distributed Firewall

Thursday, November 02, 2017 - 9:45 am10:30 am

Mike Svoboda, LinkedIn, and Nils Christian Roscher-Nielsen, Zener


Distributed Firewall (DFW) has fundamentally altered LinkedIn's System, Network, and Security Operations. This technology has enabled LinkedIn to expand with unbound horizontal scalability by leveraging Software Defined Networking. Combining system automation with host based firewalls, DFW has not only allowed LinkedIn to alter the physical network design, but it has also increased the security protections that we can now provide in Production environments.

In this presentation, we will share how LinkedIn was able to remove physical and logical network firewall bottlenecks. By shifting network security enforcement down to the per-host level, DFW enables LinkedIn to fully utilize datacenter power, cooling, and space facilities by intermixing heterogeneous environments within the same physical rack and network footprint. Integrating DFW with LinkedIn's code deployment system, the firewall has become aware of the specific application requirements on each node, and can build a unique security profile to secure the hosted services.

We will demonstrate DFW in action, point to the open source code, and will share lessons learned from our Production implementation so other organizations could leverage this technology.

Mike Svoboda, LinkedIn

Mike Svoboda is a Senior Staff Engineer, working in Production Operations at LinkedIn for the past seven years. Mike has built or has been involved with most of LinkedIn's configuration management infrastructure using the CFEngine framework.

@conference {207261,
author = {Mike Svoboda and Nils Christian Roscher-Nielsen},
title = {{LinkedIn{\textquoteright}s} Distributed Firewall},
year = {2017},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = oct