Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: FW: FW-1 redundancy
From: Ray Ricardo <ray . 06 @ worldnet . att . net>
Date: Mon, 30 Mar 1998 19:08:19 -0800
To: "'firewall-wizards @ nfr . net'" <firewall-wizards @ nfr . net>, "'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>

Configured properly, dynamic routing can safely be used in the DMZ to
achieve redundent firewall availability. If you OWN and CONTROL your
exterior and interior routers, you can configure the routers to ONLY
recieve routing updates from the security server in the DMZ (using
GATED) and configure the security server to ONLY send updates to your
exterior and interior routers. 

No other routing updates would be required. Once this is accomplished,
the exterior and interior routers will always have current knowledge of
the state of the firewalls in the DMZ. If a firewall fails, the routers
will stop recieving routing updates from that server, flush it out of
its routing tables and begin sending packets to the other firewall.

It is important that this configuration is implemented by a security /
network professional who has expert understanding of the risk associated
with network routing. This goes against conventional thinking, but done properly, it can be implemented safely.

p.s. I would advise using OSPF instead of RIP2. 

Ray Ricardo

> ----------
> From: 	Jose R. Ferreira[SMTP:jricardo @
 medidata .
 com .
 br]
> Sent: 	Monday, March 30, 1998 9:35 AM
> To: 	Firewalls @
 GreatCircle .
 COM
> Subject: 	FW-1 redundancy
> 
> 
> 
> 
> From: Jose R. Ferreira @
 MLX on 30/03/98 14:35
> 
> 
> Hi All,
> 
> I am looking for a solution to give more availability to an Internet
> site.
> Today its configuration is quite simple:
> 
> 
>                External router
>                    |
>             _______|___________
>                    |
>                  FW-1 (Checkpoint)   + NAT
>                    |
>              ______|___________
>                    |
>             Internal network
> 
> 
> 
> I am thinking about in the diagram below, using a routing protocol
> like
> OSPF or RIP to inform internal network that there is another route if
> a
> FireWall or a link fails, using a internal router as a default gateway
> for
> the internal network.
> 
> 
>                 External router
>                           |
>              _____________|_____________
>                    |               |
>                    |               |
>                  FW-1 2.0        FW-1 2.0
>                    | (NAT)         | (NAT)
>              ______|_______________|____
>                           |
>                     Internal router
>                       |
>                       |
>                Internal Network
> 
> 
> Does anyboby know if the FireWall-1 product supports synchronization
> (the state tables and rules are kept in synchronization) ?
> 
> 
> I have read about a solution from stonesoft, called stonebeat. Does
> anybody
> have some experience with this product ?
> 
> I am very interested to know your opinion, experience and solutions
> for
> this situation.
> 
> Regards,
> Jose Ricardo
> 
> 




Follow-Ups:
Indexed By Date Previous: Re: FW: IPX through a firewall
From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Next: RE: cable modem security
From: Charles Getty <cgetty @ netvisioninc . com>
Indexed By Thread Previous: RE: FW-1 redundancy
From: "Edkins, Rob - Axon AKL" <edkinsr @ axon . co . nz>
Next: Re: FW: FW-1 redundancy
From: "Marc D. Jackson" <dechon @ CS . Stanford . EDU>

Google
 
Search Internet Search www.greatcircle.com