Re: Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . .

[Jan Tietze <jan.tietze () netheads de>]

David Lang schrieb:

> On Sat, 8 Apr 2006, Jan Tietze wrote:
>
> > On Fri, 7 Apr 2006 16:06:42 -0400, "Paul Melson" <pmelson () gmail com> 
> > wrote:
> >
> > > Sounds like a big firewall.  I'm curious, though, as to why 
> > > load-balancing
> > > is a requirement.  My experience has been that an appropriately-sized
> > > single
> > > firewall as part of a fail-over pair is more reliable and performs 
> > > better
> > > than a comparable load-balanced firewall.
> >
> > I'd say that's really implementation specific. I can see why this 
> > would be the case, but that really depends on the actual solution.
I was actually thinking more about reliability (because even though poor 
active-active clustering capabilities are common, this doesn't mean that 
active-active clusters per se don't work well; it might just mean that 
people buy poor implementations) than performance (because it is 
possible to scale almost linearly in my experience) when I made that 
comment; however in my experience it is valid for performance as well.

> unless you have a seperate device doing the load balancing you end up 
> with the situation where the traffic arrives at firewall A that 
> firewall B has the state info for (since there isn't any firewall I am 
> aware of that will let you sync full state info in real time for any 
> traffic loads high enough to actually need load balancing). When this 
> situation takes place firewall A now needs to notice that the traffic 
> should be on firewall B and forward the traffic to that box.

Or you can have the traffic flushed to all nodes of the cluster 
simultaneously by the switches in front of it; think multicast. The 
firewalls could distribute new connections to nodes based on a hash 
function over some part of the IP headers, thus eliminating the need for 
immediate state table change sync, then replicate slowly, like every 50 
ms, usually over a dedicated heartbeat channel, the updates to their 
state tables and redistribution of processing load. This is one mode of 
operating the product I mentioned.

> since a single firewall can saturate a gig ethernet line nowdays (even 
> "slow" application proxy firewalls can do this easily per vendor 
> specs, which indicates that they probably are close enough to doing so 
> in real life that this is an issue), if you really need load balancing 
> where do you get the bandwidth to do this?

Using this approach you don't need to redistribute traffic; you just 
have another node process the traffic, but it continues to arrive at all 
nodes.

> David Lang
>
> > > The only other firewall vendor I can think of that does (or at least
> > > claims
> > > to do) load-balancing is Symantec Enterprise Firewall.  However, you 
> > > may
> > > also want to look at third-party load-balancing solutions like Radware
> > > FireProof or Foundry ServerIron.
> >
> > StoneSoft StoneGate has really neat clustering with dynamic 
> > re-distribution of load etc. They also used to do deliver load 
> > balancing solutions for Checkpoint for a long time.
-- Jan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards