RE: Firewall Load balancing solution

[Diaz Perez · Juan Carlos <JuanCarlos.Diaz () atosodsorigin com>]

The NOKIA+CHECKPOINT solution is a good choice, and if you want load
balancing at a high level you can complement it with BIG-IP load balancing,
from F5 Networks, inside the NOKIA appliances. I would advise you to check
out their webs for more information:

www.f5.com 
www.nokia.com

Another quite interesting technology is from Stonesoft Corporation, a Finish
company that has developed an integrated high availability FW & VPN solution
called Stonegate.

www.stonesoft.com

HTH

JUAN CARLOS DÍAZ PÉREZ


> -----Mensaje original-----
> De:   Jim MacLeod [SMTP:jmacleod () hotpop com]
> Enviado el:   martes 1 de octubre de 2002 18:20
> Para: Dean_Weber
> CC:   firewall-wizards () honor icsalabs com
> Asunto:       Re: [fw-wiz] Firewall Load balancing solution
>
> It's actually possible to do rudimentary load balancing with VRRP by using
>
> two different VRIDs with two different forwarding addresses, with each 
> firewall being a backup for the other.  This requires something else 
> splitting the traffic between the firewalls.  The inexpensive method is to
>
> set different default gateways on the internal systems.  The good way is
> to 
> sandwich the firewalls between load balancers on the outside and the 
> inside.  With additional boxes you may as well not use VRRP.
>
> Nokia has recently released a version of their OS which includes 
> proprietary load-balancing they acquired from Network Alchemy, but I have 
> yet to hear of anyone using it.
>
> IMHO load balancing could be done with an OSPF equal-cost multi-path, but 
> by that point of complexity it makes more sense just to shove some foundry
>
> serverirons on each end.  The serverirons will nicely track state inbound 
> and outbound in an active/active configuration.  It is necessary for your 
> load balancer to track individual sessions because a decent firewall
> tracks 
> the session state, so splitting a single TCP session between two firewalls
>
> will cause problems.  The foundry serverirons make sure that the same 
> firewall is used bidirectionally for each session, but that sessions are 
> distributed between the firewalls.
>
> I've also had some success with RadWare in the past, but if you're using 
> Cisco right now I'd strongly recommend Foundry, as their command line is 
> very similar.
>
> Regards,
>
> -Jim MacLeod
>
> At 05:43 AM 10/1/2002, you wrote:
> > Hi Rogan,
> >
> > The Nokia/Checkpoint VRRP solution works very well, provided you remember
> to
> > keep active routing protocols away from the physical interfaces. IMNSHO,
> it
> > is one of the better hardware fault tolerant solutions, and is actually a
> > real fail-over (state maintained) as opposed to several of the other
> vendors
> > who claim fail-over, but in reality are fall-over (state shared but not
> > maintained) where state must be re-established in the event of a failure
> > (and which can cause all kinds of loading issues for SSL/VPN
> connections).
> > Of course, this is an active/passive configuration.. I am not aware of
> > anyone offering a VRRP FW hardware solution in true load balancing
> > (active/active). Usually, when I have needed a load balancer, I do it
> > external to the FW (i.e. F5, Foundry, Legato etc.) at the appropriate
> > point(s), thereby allowing the FW to do what it does best, be a FW. This
> > also assumes only 2 FW's, there are also some excellent 3 or more, load
> > balanced solutions on the market, but none are running VRRP that I know
> > of.... most use some form of proprietary code.
> >
> > Just my 2 cents, of course.. and YMMV.
> >
> > Dean
> >
> > ----- Original Message -----
> > From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
> > To: <firewall-wizards () nfr net>
> > Sent: Monday, September 30, 2002 8:31 AM
> > Subject: RE: [fw-wiz] Firewall Load balancing solution
> >
> >
> > > Typically you can only load balance between two firewalls of the same
> > type,
> > > if you want to be able to failover between them in a transparent
> fashion.
> > > This is because the two firewalls need to share state information as
> to
> > what
> > > connections are being permitted through, and firewalls of different
> > > manufacture require different state information.
> > >
> > > If you don't care if a user's session gets dropped, and they have to
> > restart
> > > it, you should be able to mix your technologies. I wouldn't advise it
> > > though, bacause it can be complicated to debug problems, especially
> those
> > > caused by rule base mismatches. More so when you don't know WHICH
> rulebase
> > > is causing the problem. Firewalls (from the same vendor) that are
> > configured
> > > in a hot standby or load balancing configuration typically both get
> the
> > same
> > > copy of the rulebase, and so synchronisation problems are not an
> issue.
> > > However, if you are thinking of deploying a multi-tiered, multi-vendor
> > > firewall solution (two Pix in front, two CheckPoint behind) this
> should be
> > > achievable. Some would even say advisable, due to reduction in Single
> > Point
> > > of Failure.
> > >
> > > I am quite interested to know if anyone has experience with firewalls
> > using
> > > VRRP to provide load balancing, and what the advantages and
> disadvantages
> > > are.
> > >
> > > Rogan
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Phu Quy [mailto:npquy () vnn vn]
> > > > Sent: 30 September 2002 01:11
> > > > To: firewall-wizards () nfr net
> > > > Subject: [fw-wiz] Firewall Load balancing solution
> > > >
> > > >
> > > >
> > > > Dear all,
> > > >
> > > > I would like to deploy a firewall load balacing solution for
> > > > our network, Now we have 2 Cisco PIX firewall and we will
> > > > have 2 checkpoint servers in next some months, I don't know
> > > > which solution is good for us. I have to choose between Cisco
> > > > solution and other.
> > > >  - With Cisco solution, we need buy a Content switching
> > > > module for our catalyst 6509 , but I don't know can It use
> > > > for checkpoint firewall and Cisco Pix firewall load balancing
> > > > ( mix together )
> > > >
> > > > - With other solution, We intend to buy 2 ServerIron400  from
> > > > Foundry Network for content switching components, But I don't
> > > > know can I use many verdor of firewall in this structure also
> > > >
> > > > Pls give me your advise
> > > >
> > > > Thanks so much
> > > > Regards,
> > > > Quy Nguyen
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards () honor icsalabs com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () honor icsalabs com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards