RE: [FW1] Hardware HA solution advice needed

Thu, 08 Mar 2001 12:55:17 -0800 


> I've been told by more than a few Cisco engineers that Cisco Content
> Switches will do HA and load balancing in lieu of a software
> solution for Checkpoint, but I've never met anyone who has even tested
> this. Content Switches would probably cost somewhat more than either
> Stonesoft or Rainfinity also.

While mainly intended for use with web and application servers, many
layer-7 switches can be used to provide HA and LB for FW-1 servers.  A
few of them like Foundry have even been OPSEC certfied for this purpose,
which means they are SecuRemote compatible.  Cisco is not among them,
but a list of certified vendors can be found at:
http://www.checkpoint.com/opsec/performance.html#HA_Load_Balancing.

The cost difference between SW and HW is actually quite large.  The
problem with HW is that you typically need numerous  switches for a
complete solution.  Consider this common deployment, where "LB"
represents a load balancing switch or appliance:

              DMZ
       -----------------
            |      |
 |          LB -- LB         |
 |          |      |         |
P|---LB---[FW]-----)----LB---|P
R|   |             |    |    |U
V|---LB----------[FW]---LB---|B
 |                           |
 |                           |

In this simple public/private/DMZ network design, a total of 6 switches
are needed (one redundant pair per subnet) to provide transparent
fail-over and load balancing for the firewalls, while avoiding any
single points of failure.  At an average cost of $8-12k per switch, the
total solution is over $48k.  As the number of directly-attached subnets
goes up, so does the cost.  An equivalent design using software HA/LB
would cost less than $14k, regardless of the number of subnets.  I'm
admittedly biased on this point, but IMHO hardware load balancers are
overkill for this application.  Software HA/LB is cheaper, easier to
deploy, and doesn't eat up rack space.

Just my two cents,

Mark L. Decker
Rainfinity
[EMAIL PROTECTED]
www.rainfinity.com
(408) 382-4870





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to