Home page logo

basics logo Security Basics mailing list archives

Re: firewall cluster
From: "r.melchior () telonic de" <r.melchior () telonic de>
Date: Wed, 28 Mar 2007 08:52:30 +0200

Hi Sandra,

first of all your idea of installing HA with two different operating systems is not too bad. But I see some issues with that idea. The first is, which you also mentioned below, is the interoperability. If both firewalls are not working well in HA they could disrupt the availability of your network. So both should be installed with the same hardware and software. The second is, you would need to configure both firewalls. If you do any change on one you also have to do that on the other (no automatic sync). The third is, that there could be security issues that could affect both OSes, so doing a failover would not fix that issue. The free solution with iptables and Linux/BSD is only so good as the person who configures and hardens it.

Maybe you should consider to build-up a two-tier firewall solution, where you install the first entrance with a different firewall vendor than the second entrance. There are vendors out there who have great firewall appliances which support HA (active/standby and active/active -> real clustering) and have a well hardened OS (NetScreens, Checkpoint, Symantec etc).

If you need greater security in order to control what is going from the firewalls into your network and vice versa, you should consider to install an IDP directly after the firewalls (snort, Sourcefire, TippingPoint, ISS, etc).

- Raimar

Ivan . schrieb:

If you want a HA active/passive setup they must be the same firewall.

So either a Linux iptables firewall using linux HA

or a OpenBSD/FreeBSD firewall
google it


On 3/27/07, sandra <sandra () fib upc edu> wrote:

We want to set up a cluster of two firewalls with heartbeat. It will be an active-passive cluster, so if main firewall fails, secondary firewall would become active. We think that, although they are a cluster, they should have different Operating Systems (for example linux and BSD), so if a vulnerability has impact in our main firewall and drops it, the second firewall will start to serve without the same vulnerability affecting it. Do you think is a good idea or is better to have two identical firewalls for compatibility
Which combination of Operating Systems do you recommend?



Mit freundlichen Grüssen / Kind Regards,

Raimar Melchior

TGS-Telonic GmbH
Vertrieb und technische Dienstleistungen
Albin-Köbis-Str. 2
51147 Köln Telefon: +49 (0)2203-9648-108
Fax:  +49 (0)2203-9648-131
E-Mail: tgs () telonic de
Handelsregister Friedberg HRB 1629
Geschäftsführer: Horst Schlechter, Andreas Schlechter

RECHTLICHER HINWEIS: Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
CONFIDENTIALITY NOTICE: This transmission contains confidential information. The information is
intended only for the use of the recipient named above. If you have received this Email in error,
please immediately notify us by telephone to arrange for return of the confidential information to us.
You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance
on the contents of this information is strictly prohibited.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]