Firewalls: Re: Redundant FW-1s in Parallel!?

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Redundant FW-1s in Parallel!?
From:	shiggins @ naccess . com (Sean higgins)
Date:	Wed, 27 Nov 1996 10:43:59 GMT
To:	Firewalls @ GreatCircle . COM
In-reply-to:	<1 . 5 . 4 . 32 . 19961125043919 . 00708778 @ pop . mindspring . com>
References:	<1 . 5 . 4 . 32 . 19961125043919 . 00708778 @ pop . mindspring . com>

On Sun, 24 Nov 1996 20:39:19 -0800, you wrote:

>Suppose someone wants a FW-1, but he also has a requirement for "no single
>points of failure."  Suppose he thought he could address this by putting two
>FW-1s in parallel as follows...
>
>             |----- Primary FW-1 -----|
>             |                        |
>Dept #1 -----|                        |-----Dept #2
>             |                        |
>             |----- Secondary FW-1 ---|
>
>It seems to me that there could be problems with this topology (with both
>FWs powered and connected).  Since a packet could take either FW route to
>get to (for example) Dept #2 from Dept #1, context could be lost and packets
>could be lost.  I know all this is pretty general, and what happens depends
>on the protocols and rules.  Still, I'm just looking for a general answer.
>Any suggestions on how to best satisfy this type of requirement?

I recently heard this will be supported on Firewall-1 version 3.0...

                     Sean

Sean Higgins -- "Always count your advantages!"

References:

Redundant FW-1s in Parallel!?
From: "Jeff C. Flynn" <us028272 @ mindspring . com>

Indexed By Date	Previous:	Re: Looping TRACERT? From: Paul Ferguson <pferguso @ cisco . com>
Indexed By Date	Next:	Re: Looping TRACERT? From: blake @ security . com (Scott Blake)
Indexed By Thread	Previous:	Re: Redundant FW-1s in Parallel!? From: David Helms <david . helms @ checkpoint . com>
Indexed By Thread	Next:	Re: Redundant FW-1s in Parallel!? From: pat @ tandem . com