Firewalls: Re: Redundant FW-1s in Parallel!?

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Redundant FW-1s in Parallel!?
From:	Bill Husler <Bill @ Husler . xo . com>
Date:	Fri, 29 Nov 96 19:04:23 -0800
To:	<david . helms @ checkpoint . com>, "Dave Roberts" <djr @ saa-cons . co . uk>
Cc:	<Firewalls @ GreatCircle . COM>

David,
  Let me see if I understand this.

  Currently, if we want HA we must use Qualix software which required two 
dedicated lan ports and external shared DASD between two firewalls - one 
of which is simply a hot standby. With this configuration on a Sparc-5, 
we only get to have two usable interfaces. If I understand what we will 
get with Checkpoints flavor is the ability to actually use these other 
interfaces for the sort of things we wanted to in the first place like 
providing employee dial-up or private connections to other companies 
while provide load balancing and fail-over. Is this true?


                  BEFORE                                 AFTER          

           --------------------                      --------------
       Int |                  | Ext              Int |            | Ext
      -----| Primary Firewall |-----            -----| Firewall A |-----
      |    |                  |    |            |    |            |    |
      |    --------------------    |            |    --------------    |
      | ......|.|........|........ |            |     |          |     |
      | . req | |    ----------  . |            | --------   --------  | 
 -----| . for | |    |Ext Disk|  . |-----  -----| | DIAL |   | OTHR |  
|-----
      | . HA  | |    ----------  . |            | --------   --------  |
      | ......|.|........|........ |            |     |          |     |
      |    --------------------    |            |    --------------    |
      |    |                  |    |            |    |            |    |  
      -----| Backup Firewall  |-----            -----| Firewall B |-----
           |                  |                      |            |
           --------------------                      --------------
Bill
                    
>Subject:     Re: Redundant FW-1s in Parallel!?
>Sent:        11/27/96 9:04 AM
>Received:    11/27/96 8:01 PM
>From:        David Helms, david .
 helms @
 checkpoint .
 com
>To:          Dave Roberts, djr @
 saa-cons .
 co .
 uk
>CC:          Firewalls @
 GreatCircle .
 COM
>
>Dave,
>
>See my comments below....
>
>Dave Roberts wrote:
>> 
>> On Tue, 26 Nov 1996, David Helms wrote:
>> 
>> > That "State-Sharing" protocol was announced as a feature of the V3.0
>> > release of FireWall-1.
>> 
>> How does the software share the state information?  ie what kind of
>> protocol over what kind of medium.
>
>The state sharing protocol is a TCP-protocol that falls within the group
>of what are considered FW-1 control protocols.
>
>>  Is it encrypted and/or authenticated?
>
>Yes and yes, based on the same mechanism as other FW-1 control
>protocols.
>
>David
>> 
>> --
>> Dave Roberts          For PGP Key - send mail with subject of 'get pgp':-
>> Senior Unix Admin     < 51 4B 6A 35 3F C4 B6 3D  13 88 0C B2 48 61 51 1C >
>> SAA Consultants Ltd   Std disclaimer applies, it's nothing to do with them
>> Plymouth, UK.         Tel: +44 1752 606000   Fax: +44 1752 606838
>
>-- 
>__________________________________
> David Helms
> Senior Technical Consultant
> CheckPoint Software Technologies
> ph 703.684.4824
> fx 703.684.4847
> davidh @
 checkpoint .
 com
>__________________________________

Indexed By Date	Previous:	Question on Windows NT web behind firewall From: FaNgYoU2 <fangyou2 @ panix . com>
Indexed By Date	Next:	RE: Question on Windows NT web behind firewall From: Russ <Russ . Cooper @ RC . on . ca>
Indexed By Thread	Previous:	Re: Redundant FW-1s in Parallel!? From: Matthew Howard <mhoward @ cisco . com>
Indexed By Thread	Next:	Firewalls-Digest V5 #631 -Reply From: Colin Craig <craigc @ scot-homes . gov . uk>