RE: Hardware vs. Software firewall reliability

["Aaron D. Turner" <aturner () vicinity com>]

I thought the problem with H/A and VPN is only one of the firewalls
can have the VPN "certificate".  When the primary fails and the
secondary takes over the remote site aborts the VPN because the
secondary has the wrong cert.  The fix is to manually update the
certificates (or perhaps via a script).

Beacuse, by default, FW-1 allows any established connection through,
the state table of the secondary shouldn't become an issue.  If FW-1
didn't allow that, all established connections would drop when the
secondary took over.

At least this is how it works with FW-1 4.0/SP2 on Solaris with
Veritas First Watch.

-- 
Aaron Turner, CNE   aturner () vicinity com  650.237.0300 x252
Network/Security Engineer                 Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Fri, 10 Sep 1999, Joe Ippolito wrote:

> If you are interested in failover or High-Availability (HA) check out
> www.rainfinity.com, www.stonebeat.com, or Nokia's FW1 boxes.  The problem is
> maintaining a VPN since they do not share the state table in the current
> version of FW1.
>
> -----Original Message-----
> From: owner-firewall-wizards () lists nfr net
> [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Franck Veysset
> Sent: Wednesday, September 08, 1999 2:16 AM
> To: Bill Stout; 'firewall-wizards () nfr net'
> Subject: Re: Hardware vs. Software firewall reliability
>
>
> It depends what you mean by "Hardware Firewall"...
>
> Even products like Cisco Pix or "Lucent Managed Firewall"
> wich are supposed to be hardware, works on an Intel Pentium
> processor... So it is more or less a dedicated PC, wich
> runs a specific OS made for security and firewalling.
> (without the need of hard drive)
>
> Perhaps we can classified firewalls into 2 different categories
> those wich run on a normal OS (Solaris, NT...) and those running
> on a dedicated OS (like Inferno for LMF).
> When they use a specific OS, written specifically for a FW, they
> usually don't need hard drive, but they are mostly running on Intel
> or similar processors.
>
> About failover cable, they become less usefull : there are no moving
> pieces inside the fw, so the MTBF is much better.
> I know that it is possible to use a failover cable between 2 cisco Pix:
> when the first pix die, the second pix start working. I think there
> are similar failover systems for other "hardware" firewall.
>
> hope this help
>
> -Franck
>
> Bill Stout wrote:
> > I notice that more firewalls are of the hardware type.  It seems that over
> > time the hardware firewalls have become more robust, and with the minimal
> > configuration involved, lack of mechanical devices (disks) and underlying
> OS
> > to fiddle with, seem to have higher MTBF ratings than software firewalls.
> > Seems that many on the list have predicted the rise of the hardware
> firewall
> > and 'death' of the software firewall.
> >
> > What is the current feel of hardware vs. software firewalls?
> >
> > My specific interest is in protecting Internet service bureaus, with a
> > limited set of published applications.  Therefore outbound proxies are not
> > as critical.
> >
> > BTW - Are there failover hardware firewalls available?
> >
> > Bill Stout
> >
> > Unresolved industry-wide date bugs:
> > -- Incompatible Julian date formats and translation logic remain in 'Y2K
> > ready' systems (enter 1/1/29 and 1/1/30 in Excel) MS=YYDDD, JDE=CYYDDD,
> > Oracle=YYYYDDD, etc
> > -- Think of the impact of dynamically changing OS date (Don't do this on a
> > server).  Open DOS window in 'Windows', type 'date /t', double-click clock
> > on taskbar, browse date (don't apply), type 'date /t' in DOS window,
> cancel
> > 'date/time properties' to restore.
>
> --
>
>     _/_/_/_/
>    _/_/_/_/   CNET -- France Telecom
>   _/_/_/_/
>
>  Franck Veysset, Internet/Intranet Security
>  E-Mail : franck.veysset () francetelecom fr
>  Phone +33 (0)1 45 29 55 08 , Fax  +33 (0)1 45 29 65 19