Frank,
I've done some exploring with firewalls in parallel and have found
some problems. How do you handle DNS advertizing addresses for internal hosts?
Also if one packet-filter type firewall authorizes in-bound packets in
response to an out-bound connection, what happens when those in-bound
packets hit the other firewall? I believe that it may also complicate
address mapping (NAT). Also, what happens to proxy connections if one
firewall goes down? Ok for http maybe, but it would be nice for
long-term sessions to stay alive.
The synchronization of the firewalls may prove problematic.
Does anyone else have experiences solving these problems?
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
Frank writes:
> Sorry, but I am not aware of any vendor which has a fault-tolerant firewall.
> Probably the best way to deal with this is to find a firewall which has the
> capability of running multiple firewalls in parallel.
>
> The firewalls should have the capability of being managed from a central
> location (SECURELY). Synchronization of the firewall rules is also important
> - to keep all of the firewalls filtering the same way.
>
> Also, don't forget to build redundancy into your capabilities. I would
> recommend having a firewall installed in at least two different locations
> - each of which connected to a different ISP (Internet Service Provider).
>
> Further, it wouldn't hurt if you the firewall at the remote site had a
> firewall administrator who was trained in the care and feeding of the
> firewall in the event of an emergency (unless you enjoy travelling).
>
> Best Regards,
>
>
> Frank
>
>
> Fortified Networks Inc. - Management & Information Security Consulting
> Phone: (317) 573-0800 - http://www.fortified.com/fortified/
>
> <standard disclaimer>
> The opinions expressed above are of the author and may not
> necessarily be representative of Fortified Networks Inc.
>
>
Follow-Ups:
References:
|
|
