Security Basics: Re: firewall cluster

[Andrea Gatta <andrea.gatta () gmail com>]

Sandra,
I think you should take in account that the main reason to have a ha 
pair is for redundancy and availability and not to prevent firewall 
bugs. Deploy an ha solution with different OS could affect the 
effectiveness of the cluster itself. This is because different OSs might 
handle, to give you only an example,traffic in different way. I would 
say that you would consider a "double skin" or "double bastion" approach 
deploying two ha pair. Then if you have more that one ISP you may direct 
incoming traffic through different ha pair (this is only an example).
Hope that helps.

Cheers,
Andrea

sandra-llistes wrote:
> Hi,
>
> I was thinking about installing one linux and one OpenBSD configured 
> with HA in active-passive mode. I have experience in Linux but not in 
> OpenBSD.
> The sincronization between rules, can be achieved by FwBuilder, 
> building one politic file, and generating two outputs one for BSD 
> filter, and one for Linux netfilter.
> In summary:
>
> 1 Cluster with different OS:
> ----------------------------
>
> More complex in order to install, configure and maintain.
> It's more secure in case of bugs that affect one OS but not the other.
> There are still vulnerabilities that can be applied to both.
>
> 1 Cluster same OS:
> ------------------
>
> Easier to install, configure and maintain.
> If a bug can drop one firewall, can drop the other.
>
> 2 Cluster with different OS in two-tier firewall solution:
> ----------------------------------------------------------
>
> More Hardware Cost.
> More secure.
> You can have a DMZ if you want to.
> More rule complexity, so you have more complex network configuration, 
> not only Internet vs Intranet.
> If a bug affects one firewall cluster, you keep the other cluster 
> working. But you need some automatic mecanism to change routing and 
> "bypass" the failed cluster.
> Perhaps the last one is the better solution, with some automatic 
> method in case if one cluster fails, the network will keep working.
> Other security recomendations: Install an IDP just after firewall 
> clusters.
> Thanks for your responses,
>
> Sandra
>
> > On 3/27/07, sandra <sandra () fib upc edu> wrote:
> > Hello,
> >
> > We want to set up a cluster of two firewalls with heartbeat. It will 
> > be an active-passive
> > cluster, so if main firewall fails, secondary firewall would become 
> > active.
> > We think that, although they are a cluster, they should have 
> > different Operating Systems
> > (for example linux and BSD), so if a vulnerability has impact in our 
> > main firewall and
> > drops it, the second firewall will start to serve without the same 
> > vulnerability affecting it.
> > Do you think is a good idea or is better to have two identical 
> > firewalls for compatibility
> > issues?
> > Which combination of Operating Systems do you recommend?
> > Thanks,
> >
> > Sandra
> > >