Firewall Wizards mailing list archives
Re: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . .
From: Jan Tietze <jan.tietze () netheads de>
Date: Tue, 11 Apr 2006 21:58:13 +0200
David Lang schrieb:
I was actually thinking more about reliability (because even though poor active-active clustering capabilities are common, this doesn't mean that active-active clusters per se don't work well; it might just mean that people buy poor implementations) than performance (because it is possible to scale almost linearly in my experience) when I made that comment; however in my experience it is valid for performance as well.On Sat, 8 Apr 2006, Jan Tietze wrote:On Fri, 7 Apr 2006 16:06:42 -0400, "Paul Melson" <pmelson () gmail com> wrote:Sounds like a big firewall. I'm curious, though, as to why load-balancingis a requirement. My experience has been that an appropriately-sized singlefirewall as part of a fail-over pair is more reliable and performs betterthan a comparable load-balanced firewall.I'd say that's really implementation specific. I can see why this would be the case, but that really depends on the actual solution.
unless you have a seperate device doing the load balancing you end up with the situation where the traffic arrives at firewall A that firewall B has the state info for (since there isn't any firewall I am aware of that will let you sync full state info in real time for any traffic loads high enough to actually need load balancing). When this situation takes place firewall A now needs to notice that the traffic should be on firewall B and forward the traffic to that box.
Or you can have the traffic flushed to all nodes of the cluster simultaneously by the switches in front of it; think multicast. The firewalls could distribute new connections to nodes based on a hash function over some part of the IP headers, thus eliminating the need for immediate state table change sync, then replicate slowly, like every 50 ms, usually over a dedicated heartbeat channel, the updates to their state tables and redistribution of processing load. This is one mode of operating the product I mentioned.
since a single firewall can saturate a gig ethernet line nowdays (even "slow" application proxy firewalls can do this easily per vendor specs, which indicates that they probably are close enough to doing so in real life that this is an issue), if you really need load balancing where do you get the bandwidth to do this?
Using this approach you don't need to redistribute traffic; you just have another node process the traffic, but it continues to arrive at all nodes.
David LangThe only other firewall vendor I can think of that does (or at least claimsto do) load-balancing is Symantec Enterprise Firewall. However, you mayalso want to look at third-party load-balancing solutions like Radware FireProof or Foundry ServerIron.StoneSoft StoneGate has really neat clustering with dynamic re-distribution of load etc. They also used to do deliver load balancing solutions for Checkpoint for a long time.
-- Jan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . Keith A. Glass (Apr 07)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . ArkanoiD (Apr 07)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . James Hampton (Apr 07)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . Paul Melson (Apr 07)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . Jan Tietze (Apr 09)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . Holger Kipp (Apr 12)
- RE: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . . David Lang (Apr 13)
- RE: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . . Paul Melson (Apr 13)
- Re: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . . Darren Reed (Apr 23)
- Re: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . . Jan Tietze (Apr 13)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewalls that are also scalable and modular. . . Jan Tietze (Apr 09)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . Keith A. Glass (Apr 09)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . David Lang (Apr 09)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . Oliver Humpage (Apr 12)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . David Lang (Apr 13)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . Devdas Bhagat (Apr 12)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . David Lang (Apr 13)
- Re: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . . Devdas Bhagat (Apr 13)