Home page logo
/

basics logo Security Basics mailing list archives

Re: firewall cluster
From: Andrea Gatta <andrea.gatta () gmail com>
Date: Wed, 28 Mar 2007 21:59:15 +0200

Sandra,
I think you should take in account that the main reason to have a ha pair is for redundancy and availability and not to prevent firewall bugs. Deploy an ha solution with different OS could affect the effectiveness of the cluster itself. This is because different OSs might handle, to give you only an example,traffic in different way. I would say that you would consider a "double skin" or "double bastion" approach deploying two ha pair. Then if you have more that one ISP you may direct incoming traffic through different ha pair (this is only an example).

Hope that helps.

Cheers,
Andrea

sandra-llistes wrote:
Hi,

I was thinking about installing one linux and one OpenBSD configured with HA in active-passive mode. I have experience in Linux but not in OpenBSD. The sincronization between rules, can be achieved by FwBuilder, building one politic file, and generating two outputs one for BSD filter, and one for Linux netfilter.

In summary:

1 Cluster with different OS:
----------------------------

More complex in order to install, configure and maintain.
It's more secure in case of bugs that affect one OS but not the other.
There are still vulnerabilities that can be applied to both.

1 Cluster same OS:
------------------

Easier to install, configure and maintain.
If a bug can drop one firewall, can drop the other.

2 Cluster with different OS in two-tier firewall solution:
----------------------------------------------------------

More Hardware Cost.
More secure.
You can have a DMZ if you want to.
More rule complexity, so you have more complex network configuration, not only Internet vs Intranet. If a bug affects one firewall cluster, you keep the other cluster working. But you need some automatic mecanism to change routing and "bypass" the failed cluster.

Perhaps the last one is the better solution, with some automatic method in case if one cluster fails, the network will keep working. Other security recomendations: Install an IDP just after firewall clusters.
Thanks for your responses,

Sandra

On 3/27/07, sandra <sandra () fib upc edu> wrote:
Hello,

We want to set up a cluster of two firewalls with heartbeat. It will be an active-passive cluster, so if main firewall fails, secondary firewall would become active. We think that, although they are a cluster, they should have different Operating Systems (for example linux and BSD), so if a vulnerability has impact in our main firewall and drops it, the second firewall will start to serve without the same vulnerability affecting it. Do you think is a good idea or is better to have two identical firewalls for compatibility
issues?
Which combination of Operating Systems do you recommend?
Thanks,

Sandra





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]