Re: [fw-wiz] Firewall Load balancing solution

From: Jim MacLeod (jmacleod@hotpop.com)
Date: 10/01/02


To: "Dean_Weber" <Dean_Weber@alltel.net>
From: Jim MacLeod <jmacleod@hotpop.com>
Date: Tue Oct  1 16:05:14 2002

It's actually possible to do rudimentary load balancing with VRRP by using
two different VRIDs with two different forwarding addresses, with each
firewall being a backup for the other. This requires something else
splitting the traffic between the firewalls. The inexpensive method is to
set different default gateways on the internal systems. The good way is to
sandwich the firewalls between load balancers on the outside and the
inside. With additional boxes you may as well not use VRRP.

Nokia has recently released a version of their OS which includes
proprietary load-balancing they acquired from Network Alchemy, but I have
yet to hear of anyone using it.

IMHO load balancing could be done with an OSPF equal-cost multi-path, but
by that point of complexity it makes more sense just to shove some foundry
serverirons on each end. The serverirons will nicely track state inbound
and outbound in an active/active configuration. It is necessary for your
load balancer to track individual sessions because a decent firewall tracks
the session state, so splitting a single TCP session between two firewalls
will cause problems. The foundry serverirons make sure that the same
firewall is used bidirectionally for each session, but that sessions are
distributed between the firewalls.

I've also had some success with RadWare in the past, but if you're using
Cisco right now I'd strongly recommend Foundry, as their command line is
very similar.

Regards,

-Jim MacLeod

At 05:43 AM 10/1/2002, you wrote:
>Hi Rogan,
>
>The Nokia/Checkpoint VRRP solution works very well, provided you remember to
>keep active routing protocols away from the physical interfaces. IMNSHO, it
>is one of the better hardware fault tolerant solutions, and is actually a
>real fail-over (state maintained) as opposed to several of the other vendors
>who claim fail-over, but in reality are fall-over (state shared but not
>maintained) where state must be re-established in the event of a failure
>(and which can cause all kinds of loading issues for SSL/VPN connections).
>Of course, this is an active/passive configuration.. I am not aware of
>anyone offering a VRRP FW hardware solution in true load balancing
>(active/active). Usually, when I have needed a load balancer, I do it
>external to the FW (i.e. F5, Foundry, Legato etc.) at the appropriate
>point(s), thereby allowing the FW to do what it does best, be a FW. This
>also assumes only 2 FW's, there are also some excellent 3 or more, load
>balanced solutions on the market, but none are running VRRP that I know
>of.... most use some form of proprietary code.
>
>Just my 2 cents, of course.. and YMMV.
>
>Dean
>
>----- Original Message -----
>From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
>To: <firewall-wizards@nfr.net>
>Sent: Monday, September 30, 2002 8:31 AM
>Subject: RE: [fw-wiz] Firewall Load balancing solution
>
>
> > Typically you can only load balance between two firewalls of the same
>type,
> > if you want to be able to failover between them in a transparent fashion.
> > This is because the two firewalls need to share state information as to
>what
> > connections are being permitted through, and firewalls of different
> > manufacture require different state information.
> >
> > If you don't care if a user's session gets dropped, and they have to
>restart
> > it, you should be able to mix your technologies. I wouldn't advise it
> > though, bacause it can be complicated to debug problems, especially those
> > caused by rule base mismatches. More so when you don't know WHICH rulebase
> > is causing the problem. Firewalls (from the same vendor) that are
>configured
> > in a hot standby or load balancing configuration typically both get the
>same
> > copy of the rulebase, and so synchronisation problems are not an issue.
> >
> > However, if you are thinking of deploying a multi-tiered, multi-vendor
> > firewall solution (two Pix in front, two CheckPoint behind) this should be
> > achievable. Some would even say advisable, due to reduction in Single
>Point
> > of Failure.
> >
> > I am quite interested to know if anyone has experience with firewalls
>using
> > VRRP to provide load balancing, and what the advantages and disadvantages
> > are.
> >
> > Rogan
> >
> >
> >
> > > -----Original Message-----
> > > From: Phu Quy [mailto:npquy@vnn.vn]
> > > Sent: 30 September 2002 01:11
> > > To: firewall-wizards@nfr.net
> > > Subject: [fw-wiz] Firewall Load balancing solution
> > >
> > >
> > >
> > > Dear all,
> > >
> > > I would like to deploy a firewall load balacing solution for
> > > our network, Now we have 2 Cisco PIX firewall and we will
> > > have 2 checkpoint servers in next some months, I don't know
> > > which solution is good for us. I have to choose between Cisco
> > > solution and other.
> > > - With Cisco solution, we need buy a Content switching
> > > module for our catalyst 6509 , but I don't know can It use
> > > for checkpoint firewall and Cisco Pix firewall load balancing
> > > ( mix together )
> > >
> > > - With other solution, We intend to buy 2 ServerIron400 from
> > > Foundry Network for content switching components, But I don't
> > > know can I use many verdor of firewall in this structure also
> > >
> > > Pls give me your advise
> > >
> > > Thanks so much
> > > Regards,
> > > Quy Nguyen
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@honor.icsalabs.com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: [fw-wiz] Firewall Load balancing solution
    ... > It's actually possible to do rudimentary load balancing with VRRP by using ... > splitting the traffic between the firewalls. ... With additional boxes you may as well not use VRRP. ... > the session state, so splitting a single TCP session between two firewalls ...
    (Firewall-Wizards)
  • Re: Firewall load balacing switches
    ... See the vendor sites. ... Most of them show a load balancing config, using only one manufacturer's gear, but it works fine with multiple. ... Just avoid having a situation where you have to keep state between two firewalls, - then you need same firewalls usually, - see G2 site for diagrams. ... Subject: Firewall load balacing switches ...
    (Security-Basics)
  • RE: [fw-wiz] Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also
    ... balancingfirewalls that are also scalable and modular. ... circumstances where load balancing multiple firewalls is more cost-effective ... than buying a pair of firewalls capable of handling the load independently. ... Load-balancing done by firewalls has an overhead cost due to copying state ...
    (Firewall-Wizards)
  • Re: CARP IP level load balancing
    ... Is LAGG load balancing of no use at IP level? ... with lagg you have two phisical connections sharing the same ip, with carp you will have two servers sharing the same ip. ... The public IP's are assigned to the loop back interfaces of the application nodes and the default gateway of the application nodes is back out the PF firewalls. ... AFAIK there is no Layer 3 load balancing support built in to carp in FreeBSD, however this solution will work if you have firewalls that can help you out with the distribution. ...
    (freebsd-net)
  • Re: [fw-wiz] Strange Pix behavior.
    ... The problem could be caused on UDP traffic with a session timer set too ... which these log messages are a symptom of. ... behavior is only observed on occasional firewalls, ... >your monitoring/analysis? ...
    (Firewall-Wizards)