On Wed, 23 May 2001, Smith, Steve wrote:
> I've been kicking this idea around for a while as well. I wonder how
> much redundancy I get by loading 2-3 firewalls with a single FireProof
> switch. It seems to move the failure point a little further outward,
> that's all.
That's true of almost any trivial solution, which is why the "real"
solutions are expensive.
> It seems the only commercial FW product that has a MAC/IP fail over is
> FW-1. Not that I don't like FW-1 but it doesn't fit our organization
> very well. There's an annoying gap in FW technology in regard to
> redundancy. Actually that's not quite true, I can provide redundancy as
> long as I don't mind adding 5X the hardware and $$$$$. Frustrating but
> there's only so much I can get done in a 80 hour work week...
Single-site redundancy isn't what I think of as true redundancy. If
you're mostly worried about SMTP and HTTP/HTTPS, then you can get some
level of even multi-site redundancy by putting an authoritative internal
nameserver on each box, giving it the same domain, but it's own IP address
for the host portion of the A record for each service, and making each box
the authoritative DNS for the clients. That means forwarding queries
through those boxes for other stuff if you're not proxying things or if
you need internal DNS. Outside of that, you get box-level failover if
you're using an application gateway. When a box drops, you'll lose the
current transaction set, but the browser will decide to go to the other
DNS, and it'll get that machine's IP address for the proxy and then
happily start a new connection.
Stateful packet filters or keeping application level state and not losing
the transaction is possible, but expensive because of the communications
channel necessary between devices. It's possible with some of the cluster
technologies we're seing now like MOSIX that in the near future that
hurdle will have been crossed- but I'm betting that DWDM is the thing that
makes offsite status mirroring possible.
I'd guess that for a lot of organizations the MTBF of their firewalls
makes cold or warm spare more of an applicable solution at this point.
For general purpose OS devices, MAC/IP failover doesn't need to be part of
the firewall package, it could be a cluster solution like HACMP, or it
could be a "voting and N out of M arbiter/testers" thing done in your
favorite scripting language.
Don't forget too, if box-level failure is the highest failure mode, that
having the boxes do IP shadowing instead of MAC stealing and
participating in a dynamic routing protocol such as BGP might be a cheaper
solution.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
