Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Firewall Load balancing solution

Re: Firewall Load balancing solution

From: Dean_Weber <Dean_Weber_at_alltel.net>
Date: Tue, 1 Oct 2002 08:43:14 -0400

Hi Rogan,

The Nokia/Checkpoint VRRP solution works very well, provided you remember to
keep active routing protocols away from the physical interfaces. IMNSHO, it
is one of the better hardware fault tolerant solutions, and is actually a
real fail-over (state maintained) as opposed to several of the other vendors
who claim fail-over, but in reality are fall-over (state shared but not
maintained) where state must be re-established in the event of a failure
(and which can cause all kinds of loading issues for SSL/VPN connections).
Of course, this is an active/passive configuration.. I am not aware of
anyone offering a VRRP FW hardware solution in true load balancing
(active/active). Usually, when I have needed a load balancer, I do it
external to the FW (i.e. F5, Foundry, Legato etc.) at the appropriate
point(s), thereby allowing the FW to do what it does best, be a FW. This
also assumes only 2 FW's, there are also some excellent 3 or more, load
balanced solutions on the market, but none are running VRRP that I know
of.... most use some form of proprietary code.

Just my 2 cents, of course.. and YMMV.

Dean

----- Original Message -----
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes_at_deloitte.co.za>
To: <firewall-wizards_at_nfr.net>
Sent: Monday, September 30, 2002 8:31 AM
Subject: RE: [fw-wiz] Firewall Load balancing solution

> Typically you can only load balance between two firewalls of the same
type,
> if you want to be able to failover between them in a transparent fashion.
> This is because the two firewalls need to share state information as to
what
> connections are being permitted through, and firewalls of different
> manufacture require different state information.
>
> If you don't care if a user's session gets dropped, and they have to
restart
> it, you should be able to mix your technologies. I wouldn't advise it
> though, bacause it can be complicated to debug problems, especially those
> caused by rule base mismatches. More so when you don't know WHICH rulebase
> is causing the problem. Firewalls (from the same vendor) that are
configured
> in a hot standby or load balancing configuration typically both get the
same
> copy of the rulebase, and so synchronisation problems are not an issue.
>
> However, if you are thinking of deploying a multi-tiered, multi-vendor
> firewall solution (two Pix in front, two CheckPoint behind) this should be
> achievable. Some would even say advisable, due to reduction in Single
Point
> of Failure.
>
> I am quite interested to know if anyone has experience with firewalls
using
> VRRP to provide load balancing, and what the advantages and disadvantages
> are.
>
> Rogan
>
>
>
> > -----Original Message-----
> > From: Phu Quy [mailto:npquy_at_vnn.vn]
> > Sent: 30 September 2002 01:11
> > To: firewall-wizards_at_nfr.net
> > Subject: [fw-wiz] Firewall Load balancing solution
> >
> >
> >
> > Dear all,
> >
> > I would like to deploy a firewall load balacing solution for
> > our network, Now we have 2 Cisco PIX firewall and we will
> > have 2 checkpoint servers in next some months, I don't know
> > which solution is good for us. I have to choose between Cisco
> > solution and other.
> > - With Cisco solution, we need buy a Content switching
> > module for our catalyst 6509 , but I don't know can It use
> > for checkpoint firewall and Cisco Pix firewall load balancing
> > ( mix together )
> >
> > - With other solution, We intend to buy 2 ServerIron400 from
> > Foundry Network for content switching components, But I don't
> > know can I use many verdor of firewall in this structure also
> >
> > Pls give me your advise
> >
> > Thanks so much
> > Regards,
> > Quy Nguyen
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards_at_honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Oct 01 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos