Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: high availability
From: Andrew Luca <fmrco!ocean!ajl @ uunet . uu . net>
Date: Mon, 16 Jun 1997 10:52:56 -0400 (EDT)
To: ocean!uunet!greatcircle . com!firewalls @ uunet . uu . net, ocean!uunet!cpmx . saic . com!christopher . t . kostick @ uunet . uu . net
Reply-to: Andrew Luca <fmrco!ocean!ajl @ uunet . uu . net> 
> 
> I'm curious to find out which vendors offer highly available firewall
> solutions. I've seen vendors such as Checkpoint and TIS who have third
> offered? From the above, is 'integration' the correct word? Is the high
>...Much deleted
> --
> chris
> 

Chris,

	This is an issue that we have been exploring for quite some time.  I 
think that this is one of the issues that this industry needs to come to terms 
with quite quickly in order to push firewalls to a maturity level required for 
use in electronic commerce.  We are working on rolling our first prototype 
"firewall cluster" into production in a couple of days.
	
	You are quite right that any HA solution currently available is only a 
third party offering and the products are not nearly closely integrated enough.  
We found it quite easy to make the Veritas FirstWatch product work well with 
Gauntlet.  There were only minor problems with the failover from one system to 
another.  It would be nice to see firewall vendors offer packaged support for 
products such as this though, since fail-over requires substitution of 
netperm-tables and filtering rules.  
	
	The issue of clustering a firewall is in some ways quite easy since in 
most cases, there is very little data which needs to be shared amongst the 
cluster peers.  Once this functionality is removed from the cluster package, our 
experience has been that the cluster installs and runs well.
	
	However, I think that trying to preserve state across a clustered 
firewall pair could be much more difficult than it appears.  Such a solution 
might only be marginally useful depending upon your needs.  As we look at such a 
solution, it is much more important that we provide a running system as quickly 
as possibly than if we disconnect users.  It takes much less time for a user to 
click reload or reconnect to a server than it does for them to call a support 
hot-line to report a downed server -- or to become a customer of a competitor.
	
Andrew Luca
Fidelity Investments
82 Devonshire Street F2D
Boston, MA 02109 

----
Disclaimer:  The opinions expressed above are "mine all mine".  Don't ask my 
employer about my opinions because I'm not sure they care.
Indexed By Date Previous: RE: MS Proxy Server and SOCKS4/ mapped links/ plugs
From: "Stackpole, Bill" <BSTACKPO @ sla . com>
Next: RE: MS Proxy Server and SOCKS4/ mapped links/ plugs
From: nkeenan @ gsionline . com (Nick Keenan)
Indexed By Thread Previous: Re: high availability
From: "Timothy D.J. Hunt" <timh @ nac . net>
Next: Re: high availability
From: Bill Stout <stoutb @ pios . com>
Google
 
Search Internet Search www.greatcircle.com