What about having 2 firewalls in SERIES instead of parallel.
Have the FIRST ONE fail-over unsafely by which I mean letting all
traffic through.
The second FW in line would then be the major deffense line of the
secured network.
If the second FW in line should also fail then it should do so safely
cutting off all traffic.
Q?
Would both firewalls stay active and filter at normal times?
A1?!
No. Perhaps a fail over of the first one (or a possibility) could
trigger the 2nd FW initiation. But cant this initiation also fail?
Possible, probably depends on its implementation.
A2?!
Yes. Have both of them fýlter and see if anything goes by the first
wall to be caught in the second :) But seriously if the first filter is
doing its job correct the second FW should have no real load or delay.
Regards,
A.Omer Koker.
>----------
>From: shiggins @
naccess .
com[SMTP:shiggins @
naccess .
com]
>Sent: 27 Kasým 1996 Çarþamba 12:43
>To: Firewalls @
GreatCircle .
COM
>Subject: Re: Redundant FW-1s in Parallel!?
>
>On Sun, 24 Nov 1996 20:39:19 -0800, you wrote:
>
>>Suppose someone wants a FW-1, but he also has a requirement for "no single
>>points of failure." Suppose he thought he could address this by putting two
>>FW-1s in parallel as follows...
>>
>> |----- Primary FW-1 -----|
>> | |
>>Dept #1 -----| |-----Dept #2
>> | |
>> |----- Secondary FW-1 ---|
>>
>>It seems to me that there could be problems with this topology (with both
>>FWs powered and connected). Since a packet could take either FW route to
>>get to (for example) Dept #2 from Dept #1, context could be lost and packets
>>could be lost. I know all this is pretty general, and what happens depends
>>on the protocols and rules. Still, I'm just looking for a general answer.
>>Any suggestions on how to best satisfy this type of requirement?
>
>I recently heard this will be supported on Firewall-1 version 3.0...
>
> Sean
>
>Sean Higgins -- "Always count your advantages!"
>
|
|
