Firewall Wizards mailing list archives

Re: Hardware vs. Software firewall reliability

From: Chenggong Charles Fan <fan () rainfinity com>
Date: Fri, 17 Sep 1999 20:57:21 -0700

For FW-1, before version 4.1, the VPN encryption is not being shared by
its State Sync Mechanism, so existing VPN sessions will be broken when
a fail-over occurs.  With 4.1, key is being synced, and fail-over will
be transparent.  We have tested Rainwall v1.3 with FW-1 v4.1, and VPN
fail-over works.  Both of them will be available in a couple of weeks.

Charles


Bill Stout wrote:


I suspect the answers are vendor-specific here.

So why would a VPN not fail over?  Current sessions should break, but should
be no more interruption than temporary packet loss on the Internet.

Rather than start a new VPN on failover, why not have two VPNs predefined
and ready to accept connections once the IP address is failed over?

Bill Stout

 -----Original Message-----
From:   Ryan Russell [mailto:Ryan.Russell () sybase com]
Sent:   Saturday, September 11, 1999 3:07 PM
To:     Aaron D. Turner
Cc:     Joe Ippolito; Franck Veysset; firewall-wizards () nfr net
Subject:        RE: Hardware vs. Software firewall reliability

I thought the problem with H/A and VPN is only one of the firewalls
can have the VPN "certificate".  When the primary fails and the
secondary takes over the remote site aborts the VPN because the
secondary has the wrong cert.  The fix is to manually update the
certificates (or perhaps via a script).

Beacuse, by default, FW-1 allows any established connection through,
the state table of the secondary shouldn't become an issue.  If FW-1
didn't allow that, all established connections would drop when the
secondary took over.


... And "established " only applies to TCP, and the VPN doesn't
run over TCP.  It runs over IP in IP.  The problem is that FW-1's
state sharing code always seems to lag behind the new features,
so you get things like the VPN state not being shared even though it's
been around for awhile.

                         Ryan

My Recipe - 20% Indonesian, 40% Dutch, 30% French, 10% Other.  American born
and damn proud of it.

Indonesia - Replaced Dutch rule with a brutal Dictatorship in the name of
'Freedom'.  I pray justice for their acts in East Timor will be just as
brutal on them, and as surgical as possible.

Current thread:

RE: Hardware vs. Software firewall reliability, (continued)
- - - RE: Hardware vs. Software firewall reliability Lart (Sep 11)
- Re: Hardware vs. Software firewall reliability Vin McLellan (Sep 09)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 09)
- RE: Hardware vs. Software firewall reliability Ryan Russell (Sep 12)
  - Tripwire like perl program Siglite (Sep 14)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 14)
  - RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 14)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 14)
  - RE: Hardware vs. Software firewall reliability Tina Bird (Sep 18)
  - RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 18)
  - Re: Hardware vs. Software firewall reliability Chenggong Charles Fan (Sep 18)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 18)
- RE: Hardware vs. Software firewall reliability Garrahan, Kelvin (Sep 18)