Firewalls: Redundant FW-1s in Parallel!?

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Redundant FW-1s in Parallel!?
From:	"Jeff C. Flynn" <us028272 @ mindspring . com>
Date:	Sun, 24 Nov 1996 20:39:19 -0800
To:	Firewalls @ GreatCircle . COM

Suppose someone wants a FW-1, but he also has a requirement for "no single
points of failure."  Suppose he thought he could address this by putting two
FW-1s in parallel as follows...

             |----- Primary FW-1 -----|
             |                        |
Dept #1 -----|                        |-----Dept #2
             |                        |
             |----- Secondary FW-1 ---|

It seems to me that there could be problems with this topology (with both
FWs powered and connected).  Since a packet could take either FW route to
get to (for example) Dept #2 from Dept #1, context could be lost and packets
could be lost.  I know all this is pretty general, and what happens depends
on the protocols and rules.  Still, I'm just looking for a general answer.
Any suggestions on how to best satisfy this type of requirement?

Tia,
Jeff

Follow-Ups:

Re: Redundant FW-1s in Parallel!?
From: shiggins @ naccess . com (Sean higgins)
Re: Redundant FW-1s in Parallel!?
From: David Helms <david . helms @ checkpoint . com>

Indexed By Date	Previous:	Re: guantlet firewall config help require From: jeromie @ garrison . com (Jeromie Jackson)
Indexed By Date	Next:	Re: Redundant FW-1s in Parallel!? From: pat @ tandem . com
Indexed By Thread	Previous:	Download FREE NT FireWall/Plus From: russo @ network-1 . com (Bob Russo)
Indexed By Thread	Next:	Re: Redundant FW-1s in Parallel!? From: David Helms <david . helms @ checkpoint . com>