Firewall redundancy - how? - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Firewall redundancy - how?

  1. #11
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Maybe I've read this wrong, but it seems stupid to configure two firewalls the exact same way because if someone gets through the first one, they can simply do the exact same thing again and get in the second one.... And having two firewalls for "redundancy" is kind of stupid. If you want machines protected like that, get a cheap D-Link router like I have, which has a built in firewall, then, get a D-Link DSD150 like I have, and now you have two firewalls. As for Web Servers, unless you're running Windows, you could very easily set up IPTables if it's Linux, to drop everything that's not Web Traffic, and if it's BSD, use their IPFilters to drop everything that isn't Web Traffic, and call it a day.

    I just got a DSD150 for 9.99 US dollars. They were on sale instead of the 90 dollars they normally sell for.

    If you're good enough at Kernel coding, you can also do what most high target places do and just hack the Server into the Kernel, shut off everything else, and drop all services so you basically have nothing more than a Kernel and a shell to talk to it, and the Web server is built in, so even if they attempt exploits they won't work. Some porn companies do this by paying people, and govt does this too because you've essentially made a Kernel that will drop any activity that's not Web related, so nothing gets through it. The Kernel itself drops everything and I don't know of anyone who can break that considering any traffic you send is dropped unless you're using a web browser to look at port 80. Set that up and no one's going to see anything you don't let them see.

    Just remember that screwing up a configuration is one of the biggest ways someone gets in anyway. That's how Windows is so easy to break; People assume point and click means easy so they set up what they knew how to click on and left everything else alone. Which in turn means they didn't configure it properly and someone else can get in. When you do it by hand and everything is closed by default, it's harder to screw up since you have to tell it what to actually let through.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  2. #12
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659


    Originally Posted by CybertecOne
    Just go with a good ISP with a decent business plan and the need for redundancy should be minimal.

    Now we're back to the single firewall problem...!
    This is not a problem - I am unsure of what your expectations are and it seems that you are not sure of what you want to acheive exactly, or for what reasons.

    Thanks gore, you hit the nail on the head.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  3. #13
    Member
    Join Date
    Jul 2009
    Posts
    45
    Check out this BSD bridging firewall
    http://www.seattlecentral.edu/~dmartin/docs/bridge.html

    For all others, that you can't see what he's trying to do is a shame. Its a simple concept, redundant firewalls help alleviate firewalls as the single path failure in house.

    Yes, true redundancy and single path failure elimination, would require much much more, such as, load balancing, dual access lines to the internet, and a route-able subnet that can be advertized by more than one ISP. (ie. two isp's coming into customer premisis via different cable/fiber/copper, into different machines/firewalls)

    But, in the simplicity and cost effectiveness camps, that bridging set-up is perfect. Less expensive is just to have a second firewall that when you configure the first, you connect off line to the second, copy the config to it, and then shut it down, and reattach it to your network, thus anyone that is "in the office" can turn off the malfunctioning firewall, turn on the spare, and within the range of last config changes made, the backup firewall is up and running (this of course is not a seamless failover and would not make downtime as minimal as possible, just minimizes cost and complexity)

  4. #14
    Member
    Join Date
    Apr 2004
    Posts
    38
    Thanks for the article, TG2.

    I was beginning to think it was me...!

    Some of the firewall appliances have failover built-in, but I don't like the idea of paying $$$ annually just to keep the thing working.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  5. #15
    Member
    Join Date
    Jul 2009
    Posts
    45
    Quote Originally Posted by shakeshuck View Post
    Thanks for the article, TG2.
    I was beginning to think it was me...!
    Some of the firewall appliances have failover built-in, but I don't like the idea of paying $$$ annually just to keep the thing working.
    Yup ... now if you want something interesting.. try it with ATOM boards Low power, and unless you're on 100 meg connection, doubtful you'd have problems with dropped packets

    http://www.newegg.com/Product/Produc...82E16813121342
    60 bucks, needs memory, drive, case.

    small midsize cases (usually have regular sized power supplies that can be swapped out with off the shelf stuff)
    http://www.newegg.com/Product/Produc...%20Mid%20Tower

    If you don't mind used, look for a couple of these on Ebay for under 20 bucks (got 5 of them a year ago for 50 bucks)
    http://www.newegg.com/Product/Produc...82E16833106108

    gives you total of three network ports, of course intel also makes a 4 port card (but at 250 a piece, they'd be more valuable than the rest of the components)

    you can substitute other stuff ... local stores in Virginia (USA) are carrying new 199 dollar basic pc's with a windows 7 disk, comes with enough of what you need, gives you a personal windows 7 disc to play with (against ms's eula though) But you figure 450 to 500 total you'd have two machines, extra (cheap) nics at $10 a pop, and you're downloading BSD or *nix to play with.

    Again if you don't mind used, look for local Used Computer shops... a used p3 at 60 bucks with 20 gig hard drive and 256 megs of ram should be more than needed.

    Last problem would be managed switches. Look for some older cisco stuff ... about 2 years ago I picked up 15 2924XL's for $100 ea (sorry all in use) so you may find something cheaper or newer than that.

  6. #16
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Well you could configure two Juniper Firewalls together so that there would be no service interruption if one fails using HSRP protocol for a failover. I have this config running and its great plus the config from firewall in use is replicated onto the slave. Never had problems with this type of config.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  7. #17
    Member
    Join Date
    Jul 2009
    Posts
    45

    Costs?

    Quote Originally Posted by bAgZ View Post
    Well you could configure two Juniper Firewalls ...
    How much did the junipers cost, and did they charge you for HSRP (cisco charges based on IOS feature sets) and do they charge you a yearly maintenance fee or have contracts that you're supposed to maintain with yearly fees?

    One of the side threadlets was cost and or not having to do yearly fees... if cost wasn't an issue any major brand manufacturer would do.

  8. #18
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    We pay for equipment not for support or maintenance and i configured HSRP on it. since there is no support there is no yearly charge. The equipment is around 700 euros a piece but well worth it. But if you want go cheaper well not too sure what you can try maybe running VRRP on a linux but i don't have the experience with this.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  9. #19
    Member
    Join Date
    Jul 2009
    Posts
    45

    That's cool

    Quote Originally Posted by bAgZ View Post
    We pay for equipment not for support or maintenance and i configured HSRP on it. since there is no support there is no yearly charge. The equipment is around 700 euros a piece but well worth it. But if you want go cheaper well not too sure what you can try maybe running VRRP on a linux but i don't have the experience with this.
    Ya.. that's cool ... cisco is a different animal (high cost, plus maintenance contracts, and difficulty upgrading <$$> IOS sometimes if not on maintenance contract, or having someone with back door access to cisco ios images) ... the main thing to be said about doing it with BSD or *Nix is that you get to learn a toolset that has nearly no limits. Of course that makes for sometimes a steep learning curve, and of course the cost of either OS is basically your time rather than physical dollars.

    Were I in the position and need, I'd probably figure out my best way to do it with *nix-es, so that if I had new clients to install to, I'd set them up with the inexpensive PC .... hell today I was in Microcenter (a 9 ~ 12 store electronics/computer company in VA, OH, & TX USA) and saw one of Acer's new small form factor PC's ... it was, no lie, smaller than a Wii gaming console, based on an Intel Atom platform for about $349 (US $). If it had the ability as the board I found at newegg.com to have 1 pci card in it ... it would be an incredible SFF firewall .... no fans, add cheapest SSD HD in it and you'd have a system that wouldn't have any real moving parts, save for the electrons moving through ... something that could sit on a shelf somewhere without a care in the world.. LOL, except to do its job (if it'd support *nixes in the config needed).

  10. #20
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Firewall redundancy

    I don't know on your specific case, but on some Platforms, such as Cisco or Checkpoint, there are features that allow redundancy in a way that even on-going connection are not lost during failover.

    Also you can take on a look on VRRP (Cisco proprietary) or HSRP - they are routing concepts.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Similar Threads

  1. firewall detection and network probing
    By heatwave in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: October 12th, 2012, 09:53 AM
  2. Grisoft (AVG) To Release Firewall
    By c0br4 in forum AntiVirus Discussions
    Replies: 9
    Last Post: June 23rd, 2005, 01:06 AM
  3. Firewall Basics by stevecronin
    By stevecronin in forum The Security Tutorials Forum
    Replies: 7
    Last Post: January 23rd, 2005, 04:47 AM
  4. Looking to protect yourself?
    By mjk in forum Firewall & Honeypot Discussions
    Replies: 6
    Last Post: March 12th, 2004, 05:40 AM
  5. Firewall security flaws by Sharepro
    By Zato in forum Firewall & Honeypot Discussions
    Replies: 2
    Last Post: February 1st, 2004, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •