Firewall Wizards mailing list archives
RE: High availability firewalls
From: Stefan Jon Silverman <sjs () sjsinc com>
Date: Wed, 21 Jan 1998 09:55:51 -0500 (EST)
Snip Chain: Jyri Kaljundi (original post); Adam Shostack (1st reply)... Gary Crumrine <gcrum () us-state gov> wrote:
As long as you guys are discussing failover---- Have you given thought to using more than one provider at the same time? The networks can and do go down once in a while. Witness a cut main trunk from a week or two ago from an unnamed MAJOR provider? Re-routing only overloaded already stressed circuits and the outage snowballed.
In the disaster recovery community the concept above can be summerized as the implementation of "redundency" and "diversity" in network connectivity. Redundency can be looked at as the provisioning of at a minimum 2 copies of every piece of critical infrastructure. At the least, 2 telco connects, 2 external routers, 2 external hubs, 2 internal routers, 2 internal hubs, 2 firewalls (multi-homed), 2 of each box on the DMZ (also multi-homed), and if you really want to avoid hardware "single-point-of-failure" situations, 2 seperate DMZ's with their own hubs (I usually dual-home my DMZ machines and put Quad-cards in my firewalls -- 5 interfaces including the one on the motherboard -- so that there is 2 route access to the Web boxes, etc.). If you are protecting "information of great value" that must be accessable at all times (which I have), the redundency issues begin to stray into the area of diversity. Here geographically seperate Datacenters, ops centers, etc. begin to come into play; each with its' own redundant configuration and internal network ability to replicate and sychronize servers. Then there are the people issues; how many organizations are at least 2 deep in specific or overlayed critical technical skills -- people get hit by busses all the time, does the whole infrastructure come to a grinding halt??? How frequently do the 2 in the morning phone calls come and is there a rotating "on-call" staff to deal with problems so that no one individual is either a "show-stopper" if unavailable or so tired from multiple nights of lost sleep that the decision making process is impaired??? As a side note -- real world experience time -- when visiting the North American DataCenter of a former client who shall remain nameless, they were crowing to the heavens about the multiple, redundant, and diversely routed T3's that would guarantee connectivity. "Okay," this humble consultant mumbled, "show me the wiring..." Turns out that 6 T3 circuits to different telco providers all ran through the same manhole and trench coming out of the building -- anybody in IT ever write a purchase order for a backhoe before??? It was a first for me..... BTW: I never did find out who had the contract to clean-up after a halon discharge at this DC even though I asked the question on multiple occassions...Bring on the boys in the bunny suits... Hope this adds something usefull to the on-going discussion... Regards, b c++'ing u, %-) sjs PS: I am my own employer, therefore: "all opinions are twice spoken for;" and they do, in fact, scare the hell out of said employer!!! ------------------------------------------------------------------------------- Stefan Jon Silverman - President SJS Associates, N.A., Inc. Suite 16-A Distributed Systems 410 Central Park West Architecture, Implementation & Security New York, New York 10025 Phone: 212 662 9450 E-mail: sjs () sjsinc com Fax: 212 662 9461 Text-Page: 9179291668 () mobile att net Cell: 917 929 1668 ------------------------------------------------------------------------------- Weebles wobble, but they don't fall down!!! -------------------------------------------------------------------------------
Current thread:
- High availability firewalls Jyri Kaljundi (Jan 19)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)
- Re: High availability firewalls Roger Nebel (Jan 20)
- Re: High availability firewalls Billy Smith (Jan 20)
- Re: High availability firewalls Adam Shostack (Jan 20)
- Re: High availability firewalls Peter J. Cherny (Jan 21)
- Re: High availability firewalls chuck (Jan 20)
- Re: High availability firewalls Allen Todd (Jan 21)
- Re: High availability firewalls Jyri Kaljundi (Jan 22)
- Re: High availability firewalls Allen Todd (Jan 21)
- <Possible follow-ups>
- RE: High availability firewalls Gary Crumrine (Jan 20)
- RE: High availability firewalls Stefan Jon Silverman (Jan 21)
- RE: High availability firewalls Stout, William (Jan 21)
- Re: High availability firewalls Allen Todd (Jan 22)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)