Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Firewall redundancy - how?

  1. #1

    Firewall redundancy - how?

    Hi all,

    A few years since I last visited, but here I am with another dumb question...

    I am looking to set up a high availability service from home, and of course want to keep the nasties out. I have one line from my ISP, and of course wish to stick a firewall on the internet-facing side. To be HA, though, I would really need two firewalls in case one box falls over.

    How do I get input directed at one IP to go to either/or firewall without adding another box and thus a single point of failure?
    Is the only way to do this to have a clustered pair, one live and one failover?
    Isn't that adding complexity to what should be a basic box (and therefore adding vulns)?

    Any guidance or pointing-in-the-right-direction would be appreciated.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  2. #2
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    If you are planning to put a firewall on a box (such as ISA server) and the box falls over sideways.... internet traffic will stop/be denied by default as the box is no longer handling and forwarding traffic.

    For two firewalls to be configured and working in conjunction, they need to be configured exactly the same for each to allow traffic through.... this means twice as much administration and the only benefit is if someone actually breaks through your first firewall, they only have a second firewall (which is configured identically in this scenario) to break through and that is the only benefit I can see.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  3. #3
    Hi CTO,

    I mean the firewalls are in parallel, not serial, so that if one does die the service isn't interrupted.

    Thanks.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  4. #4
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    To clarify, it sounds more like you are looking for a backup portal (as opposed to layered security). Is this correct?

    Routing protocols (like OSPF or RIP) can be configured with multiple routes to a given destination, with one configured as the primary and another as the backup.

  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    I mean the firewalls are in parallel, not serial, so that if one does die the service isn't interrupted.
    Parallel in what way? Are you describing two boundary firewalls protecting the same WAN connection? Or do you have multiple WANs?

    If you are looking for 2 parallel firewalls protecting a single WAN? By what method are you controlling the inbound traffic flow in order to take a specific route though a particular firewall?

    Sorry, it is difficult when you can't see the whole scope - but I can see the scenario you are after, I just dont understand the context of what you are trying to acheive.

    Cheers,

    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  6. #6
    Quote Originally Posted by keezel
    To clarify, it sounds more like you are looking for a backup portal (as opposed to layered security). Is this correct?
    There will be web servers behind the firewalls, but they have their own redundancy. The important part is not losing protection and having service continuity if one firewall fails.

    Quote Originally Posted by CybertecOne
    Are you describing two boundary firewalls protecting the same WAN connection? Or do you have multiple WANs?

    If you are looking for 2 parallel firewalls protecting a single WAN? By what method are you controlling the inbound traffic flow in order to take a specific route though a particular firewall?
    The initial idea was to have one WAN connection, but the problem is, as you say, routing the traffic without creating another single point of failure.

    As I read more it is suggested that two WANs with two ISPs is the best prospect for safety, but I'm also wondering if I'm worrying too much - some of the hardware firewall brands are quoting a 40-year MTBF for their units, although how they know that is beyond me ;-)
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  7. #7
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    IMO, 2 boundary firewalls protecting a single WAN must be configured in serial and the configuration must be identical (refer to my earlier post) - and IMO would be completely redundant.

    If you have 2x WAN's (or more) and each is protected by a single firewall - this SHOULD be sufficient depending on configuration and technology employed - however the routing of the traffic can be done via external DNS.

    You would have to set up various public domain names and have the DNS records published to "the web" and therefore depending on what traffic is coming in, when using a specific DNS name to find the connection - this will dictate which WAN to come in through.

    For instance; WAN 1 & Firewall 1 will have the external DNS record of wan1.org and WAN 2 & Firewall 2 will have external DNS record of wan2.org

    Emails will come in via WAN1 and the firewall configured to accept such connections. When you want to access email, you would do this via wan1.org

    The firewall on WAN2 is not configured for emails, so access to emails via wan2.org will not be accepted (despite attempting to connect to the same LAN, albiet via a different WAN)

    Remote applications can utilise WAN2 by having the firewall configured for such apps and using the wan2.org DNS record.

    In summary, for what you are trying to acheive - multiple WAN's will be required, 1 for each "traffic route" you would like to create. Each WAN must have a public DNS record for ease of access (as using an IP address will work just as well, but is much harder to commit to memory).

    The traffic route will be determined by the client either accessing WAN1 or WAN2, and the firewall will allow/reject requests depending on the specific firewall config for the particular WAN.

    Let me know if you would like clarification


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  8. #8
    Thanks CTO, but from a customer point of view, I'm afraid that's not appropriate either.

    The customer shouldn't need to know that when web.company.org is down due to firewall problems he needs to go to web2.company.org. As far as he is concerned, he uses one domain name and we handle the rest...

    Doing an nslookup on www.google.com returns multiple addresses, so I assume there's a way of stacking them in DNS?
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    I understand. So your reason for having mutliple WANs and firewalls is purely redundancy?

    No load balancing or better security in mind?

    Doing an nslookup on www.google.com returns multiple addresses, so I assume there's a way of stacking them in DNS?
    DNS is a very complex technology -

    Check out http://www.tcpipguide.com/free/t_DNS...dBalancing.htm

    When you are talking about incoming access from the web - I dont believe there is much for automatic redundancy. You would be able to setup a failsafe that you must manually 'enable' if there are problems with the primary link..... but I am not sure what the point will be, especially when you weight the cost-benefit scenario.

    Just go with a good ISP with a decent business plan and the need for redundancy should be minimal.

    We have mutliple ISP's/WAN but specifically so we can access certain clients at faster speeds, and one plan is for high speed net access (small d/l limit) and the other plan is a slower speed but allows a huge amount of data to go between LAN & WAN.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  10. #10
    Quote Originally Posted by CybertecOne View Post
    Just go with a good ISP with a decent business plan and the need for redundancy should be minimal.
    Now we're back to the single firewall problem...!

    Actually, if the MTBF *is* 40 years as they quote, how do they manage to charge us hundreds of [insert local currency here] for a subscription for next day replacement kit from day one? Or am I being cynical, LOL?
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

Similar Threads

  1. firewall detection and network probing
    By heatwave in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: October 12th, 2012, 08:53 AM
  2. Grisoft (AVG) To Release Firewall
    By c0br4 in forum AntiVirus Discussions
    Replies: 9
    Last Post: June 23rd, 2005, 12:06 AM
  3. Firewall Basics by stevecronin
    By stevecronin in forum The Security Tutorials Forum
    Replies: 7
    Last Post: January 23rd, 2005, 04:47 AM
  4. Looking to protect yourself?
    By mjk in forum Firewall & Honeypot Discussions
    Replies: 6
    Last Post: March 12th, 2004, 05:40 AM
  5. Firewall security flaws by Sharepro
    By Zato in forum Firewall & Honeypot Discussions
    Replies: 2
    Last Post: February 1st, 2004, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •