Firewall Wizards mailing list archives

Re: PIX Firewall Resilience Question

From: Bill Pennington <billp () rocketcash com>
Date: Fri, 03 Mar 2000 13:48:58 -0800

"Garrahan, Kelvin" wrote:


Hi,

I have seen design for a resilient PIX firewall configuration and I want
some opinions on whether it is a good configuration or not, also if any one
has a better Idea on how to implement a PIX failover system I would
appreciate it.

PIX config

Two PIX 515 with 4 port Ethernet cards in each.

*       Two interfaces are connected to outside network. Each outside
interface goes into a separate switch.
*       Two interfaces are connected to inside network. Each inside
interface goes into a separate switch.

Failover between the Firewalls is handled by the PIX failover cable.

My questions are;

1) Can you have two interfaces connected to the same network even if each
interface resides on a separate switch?


They would need to have seperate IP addresses or one would need to be
turned of. If the switches are connected it might be possible to handle
the failover with spanning tree. My network knowledge is a bit fuzzy
right now.


2) If the above can be done how is routing handled? from memory you assign
routes to interfaces


If you are using Ciso routers you could setup floating static routes or
just weight the routes differently. The Pix will only talk RIP for
routing updates but you can flow 
RIP updates into EIGRP or OSPF or whatever to get some dynamic upated.

You might just want to put a load balancer in front of the firewall. I
have deployed quite a few Pix boxes and I must say they are very stable.
The only time I have seen them fail is from misconfiguration or
xlate/connection tables filling up. I don't think this kind of setup
woud help you there. I might be wrong though.

Good luck I would be interested in finding out how you finally set it
up.


I think even if the above works the rules base would become very
complicated.

Again any ideas/help would be greatly appreciate.

Thanks in advance

Kel.

Kelvin Garrahan
Security Consultant
Compaq Professional Services,
Park House,
N.C.R.,
Dublin 7.
Tel:  353-1-8385433
Fax: 353-1-8384239
Email: Kelvin.garrahan () compaq com
 <<Garrahan, Kelvin.vcf>>


-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

PIX Firewall Resilience Question Garrahan, Kelvin (Mar 02)
- Re: PIX Firewall Resilience Question Mike Barkett (Mar 03)
- Re: PIX Firewall Resilience Question Bill Pennington (Mar 05)