Re: RE: firewalls & multi-homing

[Carson Gaspar <carson () taltos org>]

--On Tuesday, September 04, 2001 5:51 AM -0600 Irwin Lazar <ILazar () tbg com> 
wrote:

> Suppose customer "X" has two internet gateways, one in NY and one in LA.
> Traffic goes out the NY gateway, but for some reason, asymmetrical routing
> sends the return traffic to LA.  Assuming the customer is using stateful
> firewalls, will the return traffic in LA be blocked?  Is there any
> mechanism for the LA & NY firewalls to exchange stateful information?

You can do it, but it is non-trivial with today's products. Basically, you 
take an active-active capable state-sharing firewall, and VLAN it such that 
different boxes are in different locations, all sharing at least the state 
network, and probably the inside/outside/dmz/whatever nets as well. You 
have to make sure the bandwidth and latency of the WAN is sufficient.

NOTE: I've never actually _done_ this, but it should work. Of course, 
finding an active-active capable state-sharing firewall is another 
challenge. I think that one or two of the Firewall-1 HA providers supports 
this. I don't know of anyone else who does.

--
Carson Gaspar - carson () taltos org
Queen trapped in a butch body
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards