mailing list archives
Re: firewall cluster
From: "r.melchior () telonic de" <r.melchior () telonic de>
Date: Wed, 28 Mar 2007 08:52:30 +0200
first of all your idea of installing HA with two different operating
systems is not too bad. But I see some issues with that idea. The first
is, which you also mentioned below, is the interoperability. If both
firewalls are not working well in HA they could disrupt the availability
of your network. So both should be installed with the same hardware and
software. The second is, you would need to configure both firewalls. If
you do any change on one you also have to do that on the other (no
automatic sync). The third is, that there could be security issues that
could affect both OSes, so doing a failover would not fix that issue.
The free solution with iptables and Linux/BSD is only so good as the
person who configures and hardens it.
Maybe you should consider to build-up a two-tier firewall solution,
where you install the first entrance with a different firewall vendor
than the second entrance. There are vendors out there who have great
firewall appliances which support HA (active/standby and active/active
-> real clustering) and have a well hardened OS (NetScreens, Checkpoint,
If you need greater security in order to control what is going from the
firewalls into your network and vice versa, you should consider to
install an IDP directly after the firewalls (snort, Sourcefire,
TippingPoint, ISS, etc).
Ivan . schrieb:
If you want a HA active/passive setup they must be the same firewall.
So either a Linux iptables firewall using linux HA
or a OpenBSD/FreeBSD firewall
On 3/27/07, sandra <sandra () fib upc edu> wrote:
We want to set up a cluster of two firewalls with heartbeat. It will
be an active-passive
cluster, so if main firewall fails, secondary firewall would become
We think that, although they are a cluster, they should have
different Operating Systems
(for example linux and BSD), so if a vulnerability has impact in our
main firewall and
drops it, the second firewall will start to serve without the same
vulnerability affecting it.
Do you think is a good idea or is better to have two identical
firewalls for compatibility
Which combination of Operating Systems do you recommend?
Mit freundlichen Grüssen / Kind Regards,
Vertrieb und technische Dienstleistungen
Telefon: +49 (0)2203-9648-108
Fax: +49 (0)2203-9648-131
E-Mail: tgs () telonic de
Handelsregister Friedberg HRB 1629
Geschäftsführer: Horst Schlechter, Andreas Schlechter
RECHTLICHER HINWEIS: Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
CONFIDENTIALITY NOTICE: This transmission contains confidential information. The information is
intended only for the use of the recipient named above. If you have received this Email in error,
please immediately notify us by telephone to arrange for return of the confidential information to us.
You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance
on the contents of this information is strictly prohibited.