I've been kicking this idea around for a while as well. I wonder how
much redundancy I get by loading 2-3 firewalls with a single FireProof
switch. It seems to move the failure point a little further outward,
that's all.
Many vendors advocate a "Firewall Sandwich" to provide HA to a firewall.
This means 2 load balancer/HA devices on the outside, and 2 load
balancers/HA devices for each security zone. So a simple 3 zone
(private, public, DMZ) firewall-cluster (let's say 2 firewalls) uses 6
load balancer/HA devices. At $15,000 ($90,000 total) that's not cheap
and I don't think I gain much in the way of redundancy in using this
configuration. It adds considerable administration and upkeep to the
design.
It seems the only commercial FW product that has a MAC/IP fail over is
FW-1. Not that I don't like FW-1 but it doesn't fit our organization
very well. There's an annoying gap in FW technology in regard to
redundancy. Actually that's not quite true, I can provide redundancy as
long as I don't mind adding 5X the hardware and $$$$$. Frustrating but
there's only so much I can get done in a 80 hour work week...
>Does anyone care to share opinions about Radware's FireProof switches
>versus the CSS 11000 line available from Cisco?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
