Firewall Wizards mailing list archives
Re: High availability firewalls
From: Billy Smith <smithbw () nosc mil>
Date: Tue, 20 Jan 1998 08:22:08 -0500
Randy.Witlicki. wrote:
Does anyone have any suggestions on how to build high availability networks which have a firewall as their one part?.... much snipped ...The question is, how to actually technically to it? On the firewalls side, when firewall 1 goes down, the HA software assigns IP-address and MAC-address of firewall 1 to firewall 2. Now how shall I let routers know that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and how?Two things come to mind: 1.) The cisco PIX firewall has a Failover option - you purchase a second PIX and connect the two with a failover cable: LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2 | X | |---firewall 2 ---| Where "X" is the failover cable and firewall # 2 is idle until firewall # 1 fails. Probably other vendors besides cisco have this kind of technology available. 2.) On one of the lists a while back somebody suggested having a second firewall with a higher cost (cost not price in money, but cost in routing metrics). The second router would only route packets if the primary firewall went down. I haven't heard if anybody has actually implemented this. - Randy -
In the above senario #2, each firewall would need to be on a separate network for this to work in theory(that is if you are going to use a dynamic routing protocol like OSPF). If a firewall crashed(i.e. would not pass traffic), it would almost have to be shutdown or unplugged in order to get the traffic to fail-over to the other firewall. This is because the firewall could be sending routing updates while failing to pass traffic so the router would assume that the primary firewall is up and operating properly. Thus, no fail-over would occur. Billy
Current thread:
- High availability firewalls Jyri Kaljundi (Jan 19)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)
- Re: High availability firewalls Roger Nebel (Jan 20)
- Re: High availability firewalls Billy Smith (Jan 20)
- Re: High availability firewalls Adam Shostack (Jan 20)
- Re: High availability firewalls Peter J. Cherny (Jan 21)
- Re: High availability firewalls chuck (Jan 20)
- Re: High availability firewalls Allen Todd (Jan 21)
- Re: High availability firewalls Jyri Kaljundi (Jan 22)
- Re: High availability firewalls Allen Todd (Jan 21)
- <Possible follow-ups>
- RE: High availability firewalls Gary Crumrine (Jan 20)
- RE: High availability firewalls Stefan Jon Silverman (Jan 21)
- RE: High availability firewalls Stout, William (Jan 21)
- Re: High availability firewalls Allen Todd (Jan 22)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)