[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Redundant firewalls without fancy software?
Hi, Nothing like having Cor(e)P(i)rate VENDwhOReS answering pretty important questions on a firewall list with links to their 20K products.................. TopLayer = 30K (I know a 10K lite version coming....) Nice solution especially with IDS.......... RadWare = 20K (no software) hardware based..... My interpretation of the original posters intent was.... No software for HA = No extra cash............... --------------- Here is a way to do it, but you need to run OSPF on the firewalls: http://www.hanetworks.com/networks/ospf/ http://www.hanetworks.com/design.html Just a good site overall covers some other options...... ---------------- http://rr.sans.org/firewall/load_balancers.php Firewall Load Balancers http://rr.sans.org/firewall/new_design.php The New Firewall Design Question *a must read when looking at these issues..... ---------------- While I am not a big fan of running anything, especially a dynamic routing protocol -- on the firewall -- you could use the built in Authentication inside OSPF...have never done that on a SunBox (GateD) have done it on Proteon and Cisco routers...works and is relatively secure.... Could also use BGP enabled routers, cisco 2500 or 2600 with standard mem. [don't need the full BGP routing table deal and 128K mem as you would not be pulling down the whole Inet routing tables...]. When you say BGP folks just normally assume that...I am not talking about BGP redundancy with an ISP. What I am suggesting is, just basic BGP HA (firewall sandwich) BGP BGP router=============router A B | | FWa FWb FWc FWd | | BGP BGP router==============router C D The above, will provide the simple failover you need.......Depending upon you existing architecture, may just be an additional two routers... Or if you have 4 FW's you may have Cisco HSRP w/multiple routers already..... Done loads.......pretty straight forward........ --------------------------- http://www.networkingunlimited.com/white001.html Configuration for Transparently Redundant Firewalls Ensure you use an IOS ver that does not have.... http://www.ciac.org/ciac/bulletins/l-082.shtml L-082: Cisco IOS BGP Attribute Corruption Vulnerability *Potential security considerations in this overall design.... actually any network based HA solution, using network type failover...HSRP, BGP, OSPF........ --------------------------- Falling back and punting................ lets say the HA need is only to maintain outbound HTTP from inside LAN (from users desktops..) and outbound and inbound SMTP through the firewalls.... A very basic and standard way to do this without software and fancy hardware based switches (RadWare, TopLayer, etc...) is to use the standard Solaris default route to RoundRobin between two ISP links......guess this means to ISP links...but you should have that, if you have four FW-1's on Solaris boxes [.....its all about maintain internal users HTTP traffic and inbound/outbound e-mail.....usually....in this case the Company's main Web page is hosted not on-site, as it should be if its just a 'brochure site', as most Main Web pages are. If you do have a Web server then bog standard DNS 'round robin' will do.... two A records for the same URL www.somecompany.com, one on the CIDR IP of ISP a and one pointing to a CIDR IP from ISPc....okay.... --------------------------------- DNS_round-robin BIND 4.9.4 (and later) will automatically rotate the two addresses in responses. www IN A 10.10.10.1 www IN A 192.70.125.1 For more detail: http://www.itworld.com/nl/unix_sys_adm/02072001/ Load Balancing Using Round Robin DNS -------------------------------- You take an IP address from ISPa and assign that to the mail server in the DMZ....then you also assign an IP from ISPb to the same mail server NIC. So the mail server host now has two IP addresses. Via DNS MX record preferences to route inbound e-mail to the IP of the mail server from IPSa, make that have a higher MX preference value.....then assign a lower MX preference to the IP address on the mail server from ISPc. Now the outbound....e-mail...and HTTP....[this assumes that you have an internal e-mail server....and or are using the SMP server in the DMS as a SMTP smart relay...] set up Solaris 'roind robin' default routes to -------------------- ISP ISP router router A B Ethernet of ISP routers =======HSRP====== /\ /\ /\ /\ | | | | FAa FWb FWc FW d -------------------------------------------------------------- Solaris Box...doing 'round robin' routing to the IPs of the four FW's........ -------------------------------------------------------------- /\ | | Internal LAN (default route) pointing to Solaris box before the 4 FW's.... ----------------------- For info on setting up multiple default routes on Solaris....... see SunSolve INFODOC ID: 17516 How does multiple default routes work? http://www.ebsinc.com/solaris/routing.html OR, http://www.manucomp.com/solaris_tips_routing.html. (see through goggle chache....better formating...not all jumbled up like above live link............) ------------------------- Or, you could just trade in the Solaris boxes for som Nokia's and use the NetStuff FW process monitoring script (posted to this list a few weeks back....)....... ============ www.deathstar.ch/security/fw1/OperatingSystemIPSO/files/ monitor-script.pdf IPSO VRRP is very good and cheap way to build a HA configuration with FireWall-1. It can be configured to monitor interfaces for a physical shutdown. But there is one disadvantage: it does not perform a fail over in case of a FirWall-1 crash or when a policy unload is performed. So it's possible that a firewall in a cluster is the master for vrrp, but FireWall-1 has stopped. This script will monitor the FireWall-1 process and if the process has been stopped or a policy unload has performed, the backup firewall will take over the VRRP addresses. Shutting down one of the interfaces on the primary box does this. ============== IP440=18K w/out CheckPoint software.... Or, possibly modify this script to do similer thing on Solaris?!?!........ Or, StoneBeat FullCluster (big issue on Solaris 2.7 with non-unlimited CheckPoint Licenses.....) which is realitivelly stable at this point..... SBFC=14K (all reference to prices must be verified through local resellers...and are given as a rough average, so you can do a 'quick n dirty' ROI cost-benifit analysis, yourself....) Thank you, Joe McGean Allianz, Ireland Techinal Security Architect www.allianz.ie +353-1-6673833 ====================== The above opinions are mine and not those of Allianz, Ireland, and should not be contrued as such. ====================== Please note we sell insurance, not firewalls................ ;) Good paper on Solaris Routing....... http://www.enteract.com/~lspitz/routing.html Routing with Solaris Trunkwala Qutub <[email protected]> on 19/02/2002 04:37:50 Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: (bcc: Joe McGean/AGFIL/AGF) Subject: Re: [FW-1] Redundant firewalls without fancy software? Find out the best switch based solution: _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ http://www.toplayer.com _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ --- Zelljko Stanivuk <[email protected]> wrote: > unsubscribe > > -----Original Message----- > From: David A. Gianna [mailto:[email protected]] > Sent: Monday, February 18, 2002 12:09 PM > To: [email protected] > Subject: Re: [FW-1] Redundant firewalls without > fancy software? > > > > > Check out a switch-based solution: > > > www.radware.com > > > Dave Gianna, MS, CCSE, CCSI, NSA, RSA/CA > Technical Sales Engineer > Security Technologies Group >> Westcon, Inc. <http://www.westcon.com/online/> > 520 White Plains Road > Tarrytown, NY 10591 > > ==================================================== > "It's time to reach the goals we set for ourselves" > -- Trevor Rabin/Jon Anderson > ==================================================== > > > > > |--------+-----------------------> > | | agentstazi | > | | <agentstazi@C| > | | OX.NET> | > | | | > | | 02/18/02 | > | | 11:35 AM | > | | Please | > | | respond to | > | | Mailing list | > | | for | > | | discussion of| > | | Firewall-1 | > | | | > |--------+-----------------------> > > >--------------------------------------------------------------------------- > -| > | > | > | To: > [email protected] > | > | cc: (bcc: David > Gianna/Westchester/Westcon/US/WestconGroup) > | > | Subject: [FW-1] Redundant firewalls > without fancy software? > | > > >--------------------------------------------------------------------------- > -| > > > > > > Hi, > > New to the list and CP, so bare with me. I have 4 > FW1 boxes all running on > Solaris. Each box with 8 NICS (2 quad cards)FE. I > would like to have some > type > of HA Redundancy without having to buy anymore > software. Is there a way > that if > one firewall fails that it will switch over to the > standby FW? > > Stephen > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the HelpDesk at 3955. ********************************************************************** ******************************************************************** Please Note: Our e-mail address is now 'allianz.ie' Visit our website at http://www.allianz.ie Disclaimer : The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of the company. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance. ******************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|