Paolo Supino wrote: > Hi Alexander > > I completely agree with you and in the long run it will happen, but > getting a second machine is beyond my budget for the next couple of months.
Then, you should go grab a couple OLD machines, and build your firewall with them. You probably won't be implementing all the cool stuff right away, anyway... Save buying the new machines for when you can do it right. For reference, we got a DS3 (45Mbps) and 900 users going through a CARPed pair of five year old machines. Primary is a 600MHz Celeron, the standby is a PIII-750MHz. Not running IPsec or IDS on them, but these machines seem to have a fair amount of growth potential on 'em. And yes, the primary machine is "slower" than the backup. You need the second machine. Even if you don't run CARP, you need a second machine. If you DO run CARP, I'd even argue you need a third machine: Rapid repair: Don't rely on someone else to get yourself back running. Testing: "What happens if I do X?" upgrades: do your upgrade on the second system, make sure all goes as you expect before doing it on the production machine. etc. Granted, your "second" (or third) machine could be the second machine for a lot of different systems in your company, if you standardize your HW. As for RAID on a firewall, uh...no, all things considered, I'd rather AVOID that, actually. Between added complexity, added boot time, and disks that can't be used without the RAID controller, it is a major loser when it comes to total up-time if you do things right. Put a second disk in the machine, and regularly dump the primary to the secondary. Blow the primary drive, you simply remove it, and boot off the secondary (and yes, you test test test this to make sure you did it right!). RAID is great when you have constantly changing data and you don't want to lose ANYTHING EVER (i.e., mail server). When you have a mostly-static system like a firewall, there are simpler and better ways. A couple months ago, our Celeron 600 firewall seemed to be having "problems", which we thought may have been due to processor load. We were able to pull the disk out of it, put it in a much faster machine, adjust a few files, and we were back up and running quickly...and found that the problem was actually due to a router misconfig and a run-away nmap session. Would not have been able to do that with a RAID card. Nick.
