[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] FW-1 Load Balancing and Redundancy Solution.... (Interesting)
Jean-Luc,
Afraid I not at all experience enough with PIX to add much.
However, one problem that has driven companies away from it is it's Management
Arch. With CheckPoint you can have 8 Firewalls running the same policy, 2
systems each physically located in 3 different Cities. More and more companies
are designing networks like this for Availability and load sharing. All fw
modules can be managed by 1 fw manager. Logs are central and you update in one
place.
If this were PIX, you would need to config each system independently even though
they were running the same policy. This doesn't scale and leaves room for user
error. My understand is that PIX will forward packets faster and more
efficient, however again the Enterprise Management leaves a lot to be desired.
The load balancing switch I was referring to is by Foundry. Whether its
CheckPoint or PIX the next hop Foundry switch won't care. It is merely setup
with a configure to send the packets to a farm of FWs. Therefore Im incline to
believe this product would be able to share load to a farm of PIX FWs.
In some situations primary and hotstandby don't work. I know of a site that
supports over 60,000 concurrent session. As you know CKP by default is set to
25000. Business demands often drive technological needs.
HC
Jean-Luc.Labbe@comparex.es on 11/05/99 02:47:46 PM
To: Harry Chu/CTS/US/INSTINET@INSTINET
cc:
Subject: Re: [FW1] FW-1 Load Balancing and Redundancy Solution....
(Interesting)
Harry,
I have always believed that the best thing to do (instead of load balancing
firewalls and
running into many problems) is to have a primary and a backup firewall. I would
invest
as much as possible on the Primary firewall and get the minimum platform for the
backup
(to save money...).
But if I may, I would be very interested to know your opinion on the Cisco
Secure PIX
firewall... have you got any experience on this product? In fact I am not too
sure whether
it is possible to load balance traffic through 2 PIXs connected in parallel,
because Cisco
only seem to talk about the Connection Table Synchronisation as and when
implementing
the failover stuff... perhaps you know more?!!!?
Feedback much appreciated...
Thanks in advance.
Jean-Luc LABBE
PS: Acording to Cisco:
"With version 5.0, you can choose the Stateful Failover option if you have 100
Mbps LAN interfaces
so that connection states are automatically relayed between the two units. Both
units in a failover
pair communicate through the failover cable, which is a modified RS-232 serial
link cable that
transfers data at 9600 baud. The data provides the unit identification of
Primary or Secondary,
the power status of the other unit, and serves as a communication link for
various failover
communications between the two units. The two units send special failover
"hello" packets to each
other over all network interfaces and the failover cable every 15 seconds. The
failover feature in
PIX Firewall monitors failover communication, the power status of the other
unit, and hello packets
received at each interface. If two consecutive hello packets are not received
within a time
determined by the failover feature, failover starts testing the interfaces to
determine which unit has
failed, and transfers active control to the Standby unit.
When a failover occurs, each unit changes state. The newly Active unit assumes
the IP and MAC
addresses of the previously Active unit and begins accepting traffic. The new
Standby unit assumes
the failover IP and MAC addresses of the unit that was previously the Active
unit. Because network
devices see no change in these addresses, no ARP entries change or timeout
anywhere on the
network.
If you are using Stateful Failover, connection states are relayed from the
Primary unit to the
Secondary unit. Without Stateful Failover, the Standby unit does not maintain
the state information
of each connection. This means that all active connections will be dropped when
failover occurs and
that client systems must reestablish connections."
Harry_Chu@Instinet.com on 05/11/99 19:22:11
To: James Alan Conner <james.conner@qxl.com>
cc: fw-1-mailinglist@lists.us.checkpoint.com (bcc: Jean-Luc
Labbe/ES/COMPAREX/BASF)
Subject: Re: [FW1] FW-1 Load Balancing and Redundancy Solution....
(Interesting)
Not exactly clear on this solution.
The typical problem with load balancing with CheckPoint FW-1 is state.
Basically, if communication is initially established through fw-a, the reply
traffic must come back though fw-a. The state sync between CKP Firewalls is too
slow to permit the flow back though another fw, simply put the State tables
don't update fast enough and most likely never will. Its about 50 mil, which is
about 50 life times in network time.
Therefore, If you have lets say 4 firewalls load balancing, how does this
product insure that the comm. will come back in the same way it when out?
Many vendors claims to be able to load balance for firewalls but when it get
taken to the lab it doesn't work well. I presently know of one solution that
provides load balancing features for a Stateful FW from Foundry. It is one of
their Server Irons, a Layer 4 Switch. It uses a configurable Hashing Algorithm
to make decisions.
The flow is as follows :
1) A packet is forwarding from 172.28.1.1 to the internal layer 4 Switch
destined for 170.16.15.69, service telnet
2) The switch takes the Src IP, Dst IP and comes up with a mathmatical
value
3) It then reviews it config, and sees that it's next hop should be Fw #4
4) The packet is forwarded out Fw #4
5) 170.16.15.69(dst) receives the syn packet and responds with a ack.
6) The reply traffic (ack) arrives at the external layer 4 switch, the
same math problem is execute as in step 2
7) The resulting value is evaluated and the packet is again forwarded to
Fw #4
HC
James Alan Conner <james.conner@qxl.com> on 11/05/99 10:15:24 AM
To: fw-1-mailinglist@lists.us.checkpoint.com
cc: (bcc: Harry Chu/CTS/US/INSTINET)
Subject: [FW1] FW-1 Load Balancing and Redundancy Solution.... (Interesting)
Dear Mailing List Guys,
Quite an interesting on here. Not sure if I can explain it well enough here
to do justice to the problem. It's all about routing and ProxyArp at the end
of the day.
I have come accross a product which offers load balancing accross multiple
servers. The product in question is the HyperFlow2 Switch from HolonTech.
See (http://www.holontech.com/products/whitepapers/hardware_clusters.html)
for more information. This product, in addition to many other clever
features offers `Router Fault Tolerance` through it's use of router pools.
(See P.15 of the PDF, or look the HTML link above). These boxes will
monitor the IRDP (Router Discovery) multicast broadcasts made by the routers
to ensure that the router is alive, and fail over to an alternative router
(by rewiting MAC addresses) if necessary. (This is all really quite cool,
and involves a lot of Y shaped network cables).
Time for some ASCII artwork..........
A) Recommended solution
Internet
/ \
Backup / \8Meg
___________ / _\__________
| Router A |-----------------| Router B |
|__________| |__________|
|\_____________ ____/| <-- Y Shaped
Ethernet Cables attach Firewall A and B to both Hyperflows
_______|__/__ _\_____|____
| Hyperflow-A |---------------| Hyperflow-B |
|___________| |___________|
| \____________ ____/ | <-- Y Shaped
Ethernet Cables attach both Hyperflows to Both Servers
_______|__/__ _\_____|____
| Server-A |---------------| Server-B |
|___________| |___________|
B) What I want to do!
Internet
/ \
Backup / \8Meg
___________ / _\__________
| Router A |-----------------| Router B |
|__________| |__________|
| |
_______|____ _______|____
| Firewall-A | | Firewall-B |
|___________| |___________|
|\_____________ ____/| <-- Y Shaped
Ethernet Cables attach Firewall A and B to both Hyperflows
_______|__/__ _\_____|____
| Hyperflow-A |---------------| Hyperflow-B |
|___________| |___________|
| \____________ ____/ | <-- Y Shaped
Ethernet Cables attach both Hyperflows to Both Servers
_______|__/__ _\_____|____
| Server-A |---------------| Server-B |
|___________| |___________|
So, my questions are as follows.
A) Will firewall-1 allow multicast traffic to pass, so that IDRP will work.
(Presumably Yes)
B) IRDP presumable advertises IP address rather than MAC. If this is the
case, then we'll need to publish RouterB as FW-B's internal MAC for the
Hyperflow to see it. However, we're now in a situation where the IP address
of the router will be on the same subnet as the Servers/Hyperflows, but the
router must route this subnet via FWs in order to talk to the Servers. To
solve this, we must(?) publish MAC addresses for the servers on the internet
facing interface of the FWs. Can firewall-1 deal with this situation?
C) Anyone got any better ideas.
Cheers.
James Conner
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================