Firewall Wizards mailing list archives

RE: Hardware vs. Software firewall reliability

From: "Joe Ippolito" <joe () joesnet com>
Date: Tue, 14 Sep 1999 22:17:48 -0700

Load sharing is a manual configuration?
Sessions would be lost and have to be reestablished?
This could be a pretty big hiccup with a few hundred sessions?

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Bill Stout
Sent: Monday, September 13, 1999 2:03 PM
To: 'firewall-wizards () nfr net'
Subject: RE: Hardware vs. Software firewall reliability

I suspect the answers are vendor-specific here.

So why would a VPN not fail over?  Current sessions should break, but should
be no more interruption than temporary packet loss on the Internet.

Rather than start a new VPN on failover, why not have two VPNs predefined
and ready to accept connections once the IP address is failed over?

Bill Stout

 -----Original Message-----
From:   Ryan Russell [mailto:Ryan.Russell () sybase com]
Sent:   Saturday, September 11, 1999 3:07 PM
To:     Aaron D. Turner
Cc:     Joe Ippolito; Franck Veysset; firewall-wizards () nfr net
Subject:        RE: Hardware vs. Software firewall reliability

I thought the problem with H/A and VPN is only one of the firewalls
can have the VPN "certificate".  When the primary fails and the
secondary takes over the remote site aborts the VPN because the
secondary has the wrong cert.  The fix is to manually update the
certificates (or perhaps via a script).

Beacuse, by default, FW-1 allows any established connection through,
the state table of the secondary shouldn't become an issue.  If FW-1
didn't allow that, all established connections would drop when the
secondary took over.


... And "established " only applies to TCP, and the VPN doesn't
run over TCP.  It runs over IP in IP.  The problem is that FW-1's
state sharing code always seems to lag behind the new features,
so you get things like the VPN state not being shared even though it's
been around for awhile.

                         Ryan


My Recipe - 20% Indonesian, 40% Dutch, 30% French, 10% Other.  American born
and damn proud of it.

Indonesia - Replaced Dutch rule with a brutal Dictatorship in the name of
'Freedom'.  I pray justice for their acts in East Timor will be just as
brutal on them, and as surgical as possible.

Current thread:

RE: Hardware vs. Software firewall reliability, (continued)
- - RE: Hardware vs. Software firewall reliability Lart (Sep 09)
    - RE: Hardware vs. Software firewall reliability Lart (Sep 11)
- Re: Hardware vs. Software firewall reliability Vin McLellan (Sep 09)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 09)
- RE: Hardware vs. Software firewall reliability Ryan Russell (Sep 12)
  - Tripwire like perl program Siglite (Sep 14)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 14)
  - RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 14)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 14)
  - RE: Hardware vs. Software firewall reliability Tina Bird (Sep 18)
  - RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 18)
  - Re: Hardware vs. Software firewall reliability Chenggong Charles Fan (Sep 18)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 18)
- RE: Hardware vs. Software firewall reliability Garrahan, Kelvin (Sep 18)