Don...
<..snip..>
1.0 From a security viewpoint would stateful failover of firewalls
be a plus or minus.
<..snip..>
Checkpoint firewalls do state synchronisation between the firewall cluster
nodes.
If one of the cluster members goes down then the other firewall(s) take over
the
communication. There is no reason you need to re-establish the connection
again.
If state synching works like it does the connection shouldnt be dropped.
Checkpoint also have statefull inspection (lets not discuss its REAL
statefull inspection).
Which means that is the firewall didnt receive a SYN packet for a TCP
session and
you send an SYN/ACK or ACK packet the firewall will drop it as an
"Unestablished TCP
packet". Checkpoint doesnt keep state on the sequence numbers... but
only IP
addresses arent enough to get in the state table of Firewall 1.
You can also look at Stonebeat as an addition to your Checkpoint firewall 1
cluster.
Stonebeat adds load balancing and load sharing between all the nodes. Which
you
can also run your firewall cluster in an Active - Active setup.
<..snip..>
2.0 Is it that difficult to ensure that the DB be consistent without
depending on external devices, I mean this would involve
greater resources on commits, precommits etc.
<..snip..>
WHAT ????
<..snip..>
3.0 What is the probability of an attacker being able to trigger a stateful
failover and taking advantages of this.
<..snip..>
The only thing an attacker gains with it that communication with your, for
example, DMZ is disturbed.
There shouldnt be a possible to bypass or inject a communication...
otherwise this would be a
serious sec hole in the checkpoint firewall 1 product.
Good luck !
Regards,
Brenno
> -----Original Message-----
> From: Don Ng [SMTP:[EMAIL PROTECTED]]
> Sent: donderdag 31 januari 2002 14:29
> To: [EMAIL PROTECTED]
> Subject: Statefull failover in High Availabilty /clustering firewalls
>
> Hi all, Checkpoint firewalls have intrinsic load balancing capabilities,
> and they have stateful failovers between the active and standby firewalls.
> Meaning in this case there would be no need for the client to re
> establish the connection via the 3 way handshake.
>
> So when packets arrive at the firewall with non expected sequence
> numbers, they are still let through as long as the ip address are ok?
> <no hands on on checkpoint, based on literature>
>
> I have come across clients that state their primary worries was the
> integrity of the databases in
> opting for this solution. As they fear a situation in where a firewall
> goes down and a transaction is lost,
> especially for financial transactions.
>
> My question is.
> 1.0 From a security viewpoint would stateful failover of firewalls be a
> plus or minus.
> 2.0 Is it that difficult to ensure that the DB be consistent without
> depending on external devices, I mean this would involve
> greater resources on commits, precommits etc.
> 3.0 What is the probability of an attacker being able to trigger a
> stateful failover and taking advantages of this.
>
> Nothing too heated please.
>
> Thanks and regards
> Don Ng
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
