Re: High availability firewalls

["Peter J. Cherny" <peterc () luddite com au>]

At 10:00 20/01/98 -0500, Adam Shostack wrote:
> You forgot the crossover links.  Each firewall machine has 2 network
> interfaces per side (inside, outside, dmzside(?).)  One interface on a
> side plugs into either hub, thus we get a crossbar architecture.
>
> It might also be worth looking at using a non star implementation,
> such as thinnet, to remove the hubs from the picture.  Always struck
> me as a simpler solution, but couldn't sell my customers at the time
> on it.  You do have the possibility of a transciever failure, but
> since those tend to be line powered, there is a lower chance of
> failure.

Apropos hubs/transceivers, it's been my practice to use UTP cross-over cables
and multiple Quad Ethernet cards in the various SUNs that I use as
routers/firewalls.

The per port cost of the cards is relatively low and is zero-sum since you
don't
have to buy any hubs. (You can have a total of 13 ports in a SS1/2/5 etc.).

The extra reliability gained by eliminating hubs is a major plus, and
easily allows
various meshes to increase resilience.

pjc