Firewall Wizards mailing list archives
RE: BigIP controller - any issues?
From: "Hardcastle, Kevin" <Hardcask () abcbs com>
Date: Fri, 1 Oct 1999 08:57:24 -0500
In response to load balancing Gauntlet, I was talking with a NAI rep at The Internet Security Conference and he gave me a copy of a white paper on load balancing Gauntlet Firewalls. To summarize, Network Associates recommends that you use Big/IP for firewall load balancing. I have used Big/IP to load balance web servers, but never got around to applying that technology to firewalls. The only gotcha that I can remember is when the primary Big/IP device failed and the secondary took over, we had to manually refresh the downstream routers ARP tables to direct all traffic to the secondary box. It does fail over, but not as clean as we were let on. If I were looking for another appliance for load balancing, they would probably be added to the list. I would agree with Chris, that the session state would be lost in the event of an outage. Proxies would need to refresh all connection through the failover device. Kevin -----Original Message----- From: Chris Shenton [mailto:cshenton () uucom com] Sent: Thursday, September 30, 1999 1:17 PM To: Cleaver, Richard J Cc: firewall-wizards () nfr net Subject: Re: BigIP controller - any issues? On Thu, 30 Sep 1999 11:25:06 +0100, "Cleaver, Richard J" <Richard.Cleaver () capgemini co uk> said: Cleaver,> I have been asked to investigate the effect of implementing Cleaver,> the BigIP Controller from F5 networks. It has been proposed Cleaver,> to place this device (of which I have no experience) on the Cleaver,> dirty side of internet facing firewalls to achieve firewall Cleaver,> load balancing. Does anyone know of any security issues with Cleaver,> this device? It's a UNIX box under the covers, BSDI. They seem to have done a good job of locking it down and are ssh-aware. Tho I was surprised to see they had IP forwarding enabled so I could route right through it. You'll need two, if you're interested in fault-tolerance -- which is why you're getting the BIG/ip in the first place I expect. For what they do, I think they're a bit pricey. RND has a "fireproof" product which does this, but I've grown to loathe their interface for normal load balancers, and their tech support (human and online) leaves a lot to be desired. Foundry has very cost-effective balancing switches which can be done as dual redundant pairs and I've found their humans quite responsive; only have a little hands on with this product though -- talk to them to see if they'll satisfy your application. I don't think any of the classic balancers can recover a session's state if the firewall it's using dies. There are a couple vendors who sell solutions specific to CheckPoint Firewall-1 but I'm unaware of fault-tolerant solutions for Gauntlet. We're planning on doing it with dynamic routing with our routers and back-end servers.
Current thread:
- Re: BigIP controller - any issues? Stan Scalsky (Oct 01)
- Re: BigIP controller - any issues? Joseph S D Yao (Oct 02)
- Re: BigIP controller - any issues? Adam Shostack (Oct 04)
- <Possible follow-ups>
- RE: BigIP controller - any issues? Victor Granic (Oct 02)
- RE: BigIP controller - any issues? Hardcastle, Kevin (Oct 02)
- Re: BigIP controller - any issues? Unknown (Oct 04)
- RE:BigIP controller - any issues? Craig Woods (Oct 05)
- Re: BigIP controller - any issues? Gregory Blake (Oct 05)
- Re: BigIP controller - any issues? Kevin Steves (Oct 18)
- Re: BigIP controller - any issues? Ejovi Nuwere (Oct 19)
- Re: BigIP controller - any issues? Joseph S D Yao (Oct 02)