Re: High availability firewalls

[Billy Smith <smithbw () nosc mil>]

Randy.Witlicki. wrote:
> > Does anyone have any suggestions on how to build high availability
> > networks which have a firewall as their one part?
>
> .... much snipped ...
>
> > The question is, how to actually technically to it? On the firewalls side,
> > when firewall 1 goes down, the HA software assigns IP-address and
> > MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
> > that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
> > how?
>   Two things come to mind:
>   1.) The cisco PIX firewall has a Failover option - you purchase a
> second PIX and connect the two with a failover cable:
>
> LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
>                            |      X          |
>                            |---firewall 2 ---|
>  Where "X" is the failover cable and firewall # 2 is idle
> until firewall # 1 fails.  Probably other vendors besides cisco
> have this kind of technology available.
>
>   2.) On one of the lists a while back somebody suggested having
> a second firewall with a higher cost (cost not price in money,
> but cost in routing metrics).  The second router would only route
> packets if the primary firewall went down.  I haven't heard if
> anybody has actually implemented this.
>
>   - Randy
>  -
In the above senario #2, each firewall would need to be on a separate
network for this to work in theory(that is if you are going to use a
dynamic routing protocol like OSPF).  If a firewall crashed(i.e. would
not pass traffic), it would almost have to be shutdown or unplugged in
order to get the traffic to fail-over to the other firewall.  This is
because the firewall could be sending routing updates while failing to
pass traffic so the router would assume that the primary firewall is up
and operating properly. Thus, no fail-over would occur.

Billy