Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

High Avaialability and Firewall state transfer

From: Ravi <ravivsn () roc co in>
Date: Wed, 31 Mar 2004 15:49:04 +0530
  Hi,
       I wanted to find out compromise between complexity
involved in implementing
       it and satisfying the typical deployments.

       In our boxes, we use firewall, i.e. stateful firewall
at Layer 3, for many of the services
       and proxy for some services. For example, FTP control
connection is based on
       proxy and FTP data connections are handled at Layer3
level and state is maintained
       at layer 3 ( there is no connection termination and
initiation for data connections at
       the firewall).  SIP is implemented as proxy, but
RTP/RTCP sessions are taken care at
       L3 level itself.

       We have High Availability feature, which apart from
learning the master/slaves are down, it also
       expected to transfer Firewall session state
information. Due to this, the existing connections
       via Firewall would not be effected during High
Availability switchover.

       With respect to implementation, we are not finding
any problem in transferring sessions that
       are not proxy based. Due to this, the FTP data
connections, SIP voice sessions and any
       connection that don't have corresponding proxy get
transferred smoothly and these sessions
       don't break. But connections that are FTP control
connections, SIP control connection and others
       are not transferred and due to this, for new transfer
of file or new voice conversation, it is required
       that the users restart the authentication or create
new connection. We are finding it very difficult to
       transfer the TCP state as it requires transfer of
state for each packet and moreover, TCP/IP stack
       data structures are not available for transfer.

       Questions I have are:
           - Does transferring of data sessions is good
enough for most of Enterprise installations?
           - Are there any better High Availability
mechanisms that does not require state transfer.. such as
             duplicating the packet to go through both
Primary and backup (This method is also not foolproof solution).
           - Does anybody know  of any solutions that are
proxy based and transfer state information?

     Thanks in advance
     Ravi




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: