Security Basics mailing list archives
Re: firewall cluster
From: "r.melchior () telonic de" <r.melchior () telonic de>
Date: Wed, 28 Mar 2007 08:52:30 +0200
Hi Sandra,first of all your idea of installing HA with two different operating systems is not too bad. But I see some issues with that idea. The first is, which you also mentioned below, is the interoperability. If both firewalls are not working well in HA they could disrupt the availability of your network. So both should be installed with the same hardware and software. The second is, you would need to configure both firewalls. If you do any change on one you also have to do that on the other (no automatic sync). The third is, that there could be security issues that could affect both OSes, so doing a failover would not fix that issue. The free solution with iptables and Linux/BSD is only so good as the person who configures and hardens it.
Maybe you should consider to build-up a two-tier firewall solution, where you install the first entrance with a different firewall vendor than the second entrance. There are vendors out there who have great firewall appliances which support HA (active/standby and active/active -> real clustering) and have a well hardened OS (NetScreens, Checkpoint, Symantec etc).
If you need greater security in order to control what is going from the firewalls into your network and vice versa, you should consider to install an IDP directly after the firewalls (snort, Sourcefire, TippingPoint, ISS, etc).
- Raimar Ivan . schrieb:
Hi, If you want a HA active/passive setup they must be the same firewall. So either a Linux iptables firewall using linux HA http://www.linux-ha.org/ or a OpenBSD/FreeBSD firewall google it cheers Ivan On 3/27/07, sandra <sandra () fib upc edu> wrote:Hello,We want to set up a cluster of two firewalls with heartbeat. It will be an active-passive cluster, so if main firewall fails, secondary firewall would become active. We think that, although they are a cluster, they should have different Operating Systems (for example linux and BSD), so if a vulnerability has impact in our main firewall and drops it, the second firewall will start to serve without the same vulnerability affecting it. Do you think is a good idea or is better to have two identical firewalls for compatibilityissues? Which combination of Operating Systems do you recommend? Thanks, Sandra
-- Mit freundlichen Grüssen / Kind Regards, Raimar Melchior TGS-Telonic GmbH Vertrieb und technische Dienstleistungen Albin-Köbis-Str. 251147 Köln Telefon: +49 (0)2203-9648-108
Fax: +49 (0)2203-9648-131 E-Mail: tgs () telonic de Handelsregister Friedberg HRB 1629 Geschäftsführer: Horst Schlechter, Andreas SchlechterRECHTLICHER HINWEIS: Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet. CONFIDENTIALITY NOTICE: This transmission contains confidential information. The information is intended only for the use of the recipient named above. If you have received this Email in error, please immediately notify us by telephone to arrange for return of the confidential information to us. You are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited.
Current thread:
- firewall cluster sandra (Mar 27)
- Re: firewall cluster Leif Hardison (Mar 27)
- Re: firewall cluster sandra-llistes (Mar 28)
- Re: firewall cluster Andrea Gatta (Mar 28)
- Re: firewall cluster sandra-llistes (Mar 28)
- Re: firewall cluster Ivan . (Mar 27)
- Re: firewall cluster r.melchior () telonic de (Mar 28)
- RE: firewall cluster Murda Mcloud (Mar 27)
- Re: firewall cluster Leif Hardison (Mar 27)