RE: High availability firewalls

[Stefan Jon Silverman <sjs () sjsinc com>]

Snip Chain: Jyri Kaljundi (original post); Adam Shostack (1st reply)...

Gary Crumrine <gcrum () us-state gov> wrote:

>    As long as you guys are discussing failover----  Have you given thought
>    to using more than one provider at the same time?  The networks can and
>    do go down once in a while.  Witness a cut main trunk from a week or
>    two ago from an unnamed MAJOR provider?  Re-routing only overloaded
>    already stressed circuits and the outage snowballed.

In the disaster recovery community the concept above can be summerized as
the implementation of "redundency" and "diversity" in network connectivity.

Redundency can be looked at as the provisioning of at a minimum 2 copies of
every piece of critical infrastructure. At the least, 2 telco connects, 2
external routers, 2 external hubs, 2 internal routers, 2 internal hubs,
2 firewalls (multi-homed), 2 of each box on the DMZ (also multi-homed),
and if you really want to avoid hardware "single-point-of-failure"
situations, 2 seperate DMZ's with their own hubs (I usually dual-home my
DMZ machines and put Quad-cards in my firewalls -- 5 interfaces including
the one on the motherboard -- so that there is 2 route access to the Web
boxes, etc.).

If you are protecting "information of great value" that must be accessable
at all times (which I have), the redundency issues begin to stray into the
area of diversity. Here geographically seperate Datacenters, ops centers,
etc. begin to come into play; each with its' own redundant configuration
and internal network ability to replicate and sychronize servers.

Then there are the people issues; how many organizations are at least 2 deep
in specific or overlayed critical technical skills -- people get hit by
busses all the time, does the whole infrastructure come to a grinding halt???
How frequently do the 2 in the morning phone calls come and is there a
rotating "on-call" staff to deal with problems so that no one individual
is either a "show-stopper" if unavailable or so tired from multiple nights
of lost sleep that the decision making process is impaired???

As a side note -- real world experience time -- when visiting the North
American DataCenter of a former client who shall remain nameless, they
were crowing to the heavens about the multiple, redundant, and
diversely routed T3's that would guarantee connectivity. "Okay," this humble
consultant mumbled, "show me the wiring..."  Turns out that 6 T3 circuits
to different telco providers all ran through the same manhole and trench
coming out of the building -- anybody in IT ever write a purchase order
for a backhoe before??? It was a first for me.....  BTW: I never did find
out who had the contract to clean-up after a halon discharge at this DC
even though I asked the question on multiple occassions...Bring on the
boys in the bunny suits...

Hope this adds something usefull to the on-going discussion...

    Regards,

    b c++'ing u,

    %-) sjs

PS: I am my own employer, therefore: "all opinions are twice spoken for;"
    and they do, in fact, scare the hell out of said employer!!!

-------------------------------------------------------------------------------
Stefan Jon Silverman - President                     SJS Associates, N.A., Inc.
                                                                     Suite 16-A
          Distributed Systems                             410 Central Park West
Architecture, Implementation & Security                New York, New York 10025
                                                            Phone: 212 662 9450
E-mail:    sjs () sjsinc com                                   Fax:   212 662 9461
Text-Page: 9179291668 () mobile att net                        Cell:  917 929 1668
-------------------------------------------------------------------------------
                  Weebles wobble, but they don't fall down!!!
-------------------------------------------------------------------------------