RE: BigIP controller - any issues?

["Hardcastle, Kevin" <Hardcask () abcbs com>]

In response to load balancing Gauntlet, I was talking with a NAI rep at The
Internet Security Conference and he gave me a copy of a white paper on load
balancing Gauntlet Firewalls.  To summarize, Network Associates recommends
that you use Big/IP for firewall load balancing.  

I have used Big/IP to load balance web servers, but never got around to
applying that technology to firewalls.  The only gotcha that I can remember
is when the primary Big/IP device failed and the secondary took over, we had
to manually refresh the downstream routers ARP tables to direct all traffic
to the secondary box.  It does fail over, but not as clean as we were let
on.  If I were looking for another appliance for load balancing, they would
probably be added to the list.  

I would agree with Chris, that the session state would be lost in the event
of an outage.  Proxies would need to refresh all connection through the
failover device.

Kevin

-----Original Message-----
From: Chris Shenton [mailto:cshenton () uucom com]
Sent: Thursday, September 30, 1999 1:17 PM
To: Cleaver, Richard J
Cc: firewall-wizards () nfr net
Subject: Re: BigIP controller - any issues?


On Thu, 30 Sep 1999 11:25:06 +0100, "Cleaver, Richard J"
<Richard.Cleaver () capgemini co uk> said:

Cleaver,> I have been asked to investigate the effect of implementing
Cleaver,> the BigIP Controller from F5 networks. It has been proposed
Cleaver,> to place this device (of which I have no experience) on the
Cleaver,> dirty side of internet facing firewalls to achieve firewall
Cleaver,> load balancing. Does anyone know of any security issues with
Cleaver,> this device?

It's a UNIX box under the covers, BSDI. They seem to have done a good
job of locking it down and are ssh-aware. Tho I was surprised to see
they had IP forwarding enabled so I could route right through it. 

You'll need two, if you're interested in fault-tolerance -- which is
why you're getting the BIG/ip in the first place I expect. For what
they do, I think they're a bit pricey. RND has a "fireproof" product
which does this, but I've grown to loathe their interface for normal
load balancers, and their tech support (human and online) leaves a lot
to be desired. Foundry has very cost-effective balancing switches
which can be done as dual redundant pairs and I've found their humans
quite responsive; only have a little hands on with this product though
-- talk to them to see if they'll satisfy your application.

I don't think any of the classic balancers can recover a session's
state if the firewall it's using dies. There are a couple vendors who
sell solutions specific to CheckPoint Firewall-1 but I'm unaware of
fault-tolerant solutions for Gauntlet. We're planning on doing it with
dynamic routing with our routers and back-end servers.