Jeff,
You are exactly right. There is a problem in this configuration. It is
what
we call asymmetrical routing. If a session that is initiated from D1 to
D2
routes the outgoing packets through PrFW-1, then PrFW-1 will start
tracking state on
that session. If the return packet comes through SeFW-1, there will be
no existing
state info on SeFW-1 to relate those packets to, and SeFW-1 will drop
the packets.
The solution to this problem is to make both PrFW-1 and SeFW-1
simultaneously
aware of the current state of all open sessions on either firewall. In
order
to this there needs to be communication between the firewalls that
provides
a sharing of this state information. That "State-Sharing" protocol was
announced as
a feature of the V3.0 release of FireWall-1.
Version 3.0 is in Beta today and should be release early in 97.
David Helms
Jeff C. Flynn wrote:
>
> Suppose someone wants a FW-1, but he also has a requirement for "no single
> points of failure." Suppose he thought he could address this by putting two
> FW-1s in parallel as follows...
>
> |----- Primary FW-1 -----|
> | |
> Dept #1 -----| |-----Dept #2
> | |
> |----- Secondary FW-1 ---|
>
> It seems to me that there could be problems with this topology (with both
> FWs powered and connected). Since a packet could take either FW route to
> get to (for example) Dept #2 from Dept #1, context could be lost and packets
> could be lost. I know all this is pretty general, and what happens depends
> on the protocols and rules. Still, I'm just looking for a general answer.
> Any suggestions on how to best satisfy this type of requirement?
>
> Tia,
> Jeff
--
__________________________________
David Helms
Senior Technical Consultant
CheckPoint Software Technologies
ph 703.684.4824
fx 703.684.4847
davidh @
checkpoint .
com
__________________________________
Follow-Ups:
References:
|
|
