Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

High availability firewalls

From: Jyri Kaljundi <jk () stallion ee>
Date: Mon, 19 Jan 1998 15:31:06 +0200 (EET)

Does anyone have any suggestions on how to build high availability
networks which have a firewall as their one part? Where I am having
problems is we want to have one place where we have 2 Cisco routers used
for their HA and 2 FireWall-1 boxes used for firewall HA. It would be most
easy to do this like this:

LAN 1 ------ router 1 ----- Ethernet HUB ----- firewall 1 ------ LAN 2
        |       |       |                  |       |         |
        ---- router 2 ---                  --- firewall 2 ----

Routers could have a dedicated Ethernet between them (talking HSRP for
example) and firewalls could do the same (using Stonebeat HA software for
FireWall-1). 

But what I do not like is the 1 HUB between them. You might say HUB's a
pretty stable devices, but in this environment it probably would break
anyway (if you leave one weak link in system, it does break).

So this seems more reliable:

LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
        |       |                  |         |
        ---- router 2 -------- firewall 2 ----

But is it better than the 1st diagram? When router 1 and firewall 2 go
down, the system will not work anymore, although in diagram 1 it would
still work. 

The question is, how to actually technically to it? On the firewalls side,
when firewall 1 goes down, the HA software assigns IP-address and
MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
how?

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/
Previous By Date Next
Previous By Thread Next

Current thread: