Re: High availability firewalls

[Adam Shostack <adam () homeport org>]

You forgot the crossover links.  Each firewall machine has 2 network
interfaces per side (inside, outside, dmzside(?).)  One interface on a
side plugs into either hub, thus we get a crossbar architecture.

It might also be worth looking at using a non star implementation,
such as thinnet, to remove the hubs from the picture.  Always struck
me as a simpler solution, but couldn't sell my customers at the time
on it.  You do have the possibility of a transciever failure, but
since those tend to be line powered, there is a lower chance of
failure.

Adam



Jyri Kaljundi wrote:

| So this seems more reliable:
| 
| LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
|         |       |                  |         |
|         ---- router 2 -------- firewall 2 ----
| 
| But is it better than the 1st diagram? When router 1 and firewall 2 go
| down, the system will not work anymore, although in diagram 1 it would
| still work. 
| 
| The question is, how to actually technically to it? On the firewalls side,
| when firewall 1 goes down, the HA software assigns IP-address and
| MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
| that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
| how?
| 
| Jyri Kaljundi
| jk () stallion ee
| AS Stallion Ltd
| http://www.stallion.ee/
| 
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume