Re: firewall cluster

["r.melchior () telonic de" <r.melchior () telonic de>]

Hi Sandra,

first of all your idea of installing HA with two different operating 
systems is not too bad. But I see some issues with that idea. The first 
is, which you also mentioned below, is the interoperability. If both 
firewalls are not working well in HA they could disrupt the availability 
of your network. So both should be installed with the same hardware and 
software. The second is, you would need to configure both firewalls. If 
you do any change on one you also have to do that on the other (no 
automatic sync). The third is, that there could be security issues that 
could affect both OSes, so doing a failover would not fix that issue. 
The free solution with iptables and Linux/BSD is only so good as the 
person who configures and hardens it.

Maybe you should consider to build-up a two-tier firewall solution, 
where you install the first entrance with a different firewall vendor 
than the second entrance. There are vendors out there who have great 
firewall appliances which support HA (active/standby and active/active 
-> real clustering) and have a well hardened OS (NetScreens, Checkpoint, 
Symantec etc).

If you need greater security in order to control what is going from the 
firewalls into your network and vice versa, you should consider to 
install an IDP directly after the firewalls (snort, Sourcefire, 
TippingPoint, ISS, etc).

- Raimar

Ivan . schrieb:
> Hi,
>
> If you want a HA active/passive setup they must be the same firewall.
>
> So either a Linux iptables firewall using linux HA
> http://www.linux-ha.org/
>
> or a OpenBSD/FreeBSD firewall
> google it
>
> cheers
> Ivan
>
> On 3/27/07, sandra <sandra () fib upc edu> wrote:
> > Hello,
> >
> > We want to set up a cluster of two firewalls with heartbeat. It will 
> > be an active-passive
> > cluster, so if main firewall fails, secondary firewall would become 
> > active.
> > We think that, although they are a cluster, they should have 
> > different Operating Systems
> > (for example linux and BSD), so if a vulnerability has impact in our 
> > main firewall and
> > drops it, the second firewall will start to serve without the same 
> > vulnerability affecting it.
> > Do you think is a good idea or is better to have two identical 
> > firewalls for compatibility
> > issues?
> > Which combination of Operating Systems do you recommend?
> > Thanks,
> >
> > Sandra


--

Mit freundlichen Grüssen / Kind Regards,

Raimar Melchior


TGS-Telonic GmbH
Vertrieb und technische Dienstleistungen
Albin-Köbis-Str. 2
51147 Köln 
Telefon: +49 (0)2203-9648-108
Fax:  +49 (0)2203-9648-131
E-Mail: tgs () telonic de
Handelsregister Friedberg HRB 1629
Geschäftsführer: Horst Schlechter, Andreas Schlechter


RECHTLICHER HINWEIS: Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren 
Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
CONFIDENTIALITY NOTICE: This transmission contains confidential information. The information is
intended only for the use of the recipient named above. If you have received this Email in error,
please immediately notify us by telephone to arrange for return of the confidential information to us.
You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance
on the contents of this information is strictly prohibited.