[fw-wiz] High Avaialability and Firewall state transfer

From: Ravi (ravivsn_at_roc.co.in)
Date: 03/31/04

  • Next message: MHawkins_at_TULLIB.COM: "[fw-wiz] Kinko" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 31 Mar 2004 15:49:04 +0530

       Hi,
            I wanted to find out compromise between complexity
    involved in implementing
            it and satisfying the typical deployments.

            In our boxes, we use firewall, i.e. stateful firewall
    at Layer 3, for many of the services
            and proxy for some services. For example, FTP control
    connection is based on
            proxy and FTP data connections are handled at Layer3
    level and state is maintained
            at layer 3 ( there is no connection termination and
    initiation for data connections at
            the firewall). SIP is implemented as proxy, but
    RTP/RTCP sessions are taken care at
            L3 level itself.

            We have High Availability feature, which apart from
    learning the master/slaves are down, it also
            expected to transfer Firewall session state
    information. Due to this, the existing connections
            via Firewall would not be effected during High
    Availability switchover.

            With respect to implementation, we are not finding
    any problem in transferring sessions that
            are not proxy based. Due to this, the FTP data
    connections, SIP voice sessions and any
            connection that don't have corresponding proxy get
    transferred smoothly and these sessions
            don't break. But connections that are FTP control
    connections, SIP control connection and others
            are not transferred and due to this, for new transfer
    of file or new voice conversation, it is required
            that the users restart the authentication or create
    new connection. We are finding it very difficult to
            transfer the TCP state as it requires transfer of
    state for each packet and moreover, TCP/IP stack
            data structures are not available for transfer.

            Questions I have are:
                - Does transferring of data sessions is good
    enough for most of Enterprise installations?
                - Are there any better High Availability
    mechanisms that does not require state transfer.. such as
                  duplicating the packet to go through both
    Primary and backup (This method is also not foolproof solution).
                - Does anybody know of any solutions that are
    proxy based and transfer state information?

          Thanks in advance
          Ravi

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: MHawkins_at_TULLIB.COM: "[fw-wiz] Kinko"

    Relevant Pages

    • Re: maximum number of sessions
      ... I am interested in the maximum number of sessions not connections. ... I.e I can have 15 mapped drives from one machine to ... We have 6 pcs connecting to a 7 pc we call our server. ...
      (microsoft.public.windowsxp.network_web)
    • RE: Multiple entries of the same user under "Current Sessions"
      ... FTP clients, or through the command-line? ... you may well see multiple entries in the 'current sessions' list that ... several sessions open simultaneously.) ... I will see 2 connections, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Exchange 2003 SMTP Current Sessions
      ... Also, I was asking really about the SMTP sessions themselves, long before ... Use a RBL if you must, but pick the one you use with care. ... RBLs don't block spam, they block connections. ...
      (microsoft.public.exchange.admin)
    • Re: shared printer WinXP Workgroup
      ... Use the following method to avoid null session connections that have a high session idle time and that have opened a handle to the named pipe \PIPE\spoolss. ... "John John" wrote: ... To kill all the sessions at once you can stop the server service These are pretty crude and inconvenient ways of trying to cope with the problem. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: tcp connection limit exceeded msgs
      ... During a normal day we have up to 220 sessions, maybe 30-50 jobs running. ... 95% of the sessions are network vt-mgr connections. ... To join/leave the list, search archives, change list settings, * ...
      (comp.sys.hp.mpe)