Firewall Wizards mailing list archives

Re: RE: firewalls & multi-homing

From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 5 Sep 2001 18:04:48 -0600 (MDT)

On Tue, 4 Sep 2001, Irwin Lazar wrote:

Got a question on multihoming and the use of stateful firewalls:

Suppose customer "X" has two internet gateways, one in NY and one in LA.
Traffic goes out the NY gateway, but for some reason, asymmetrical routing
sends the return traffic to LA.


Yes, you're screwed.  This is a big problems for VPNs that don't NAT on
the way in, for example.

Assuming the customer is using stateful
firewalls, will the return traffic in LA be blocked?


Depends on how loose the state mechanism is.  It should block it most of
the time.

 Is there any mechanism
for the LA & NY firewalls to exchange stateful information?


Any of the protocols that are designed for load-balancing firewalls solve
this problem... but every one I've seen will not perform adequately across
anything but a high-speed LAN.

                                Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: firewalls & multi-homing Irwin Lazar (Sep 05)
- Re: RE: firewalls & multi-homing Ryan Russell (Sep 07)
- Re: RE: firewalls & multi-homing Carson Gaspar (Sep 07)
- Re: RE: firewalls & multi-homing Stephane Nasdrovisky (Sep 07)