RE: [fw-wiz] Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also scalable and modular. . .



On Sat, 8 Apr 2006, Jan Tietze wrote:

On Fri, 7 Apr 2006 16:06:42 -0400, "Paul Melson" <pmelson@xxxxxxxxx> wrote:
Sounds like a big firewall. I'm curious, though, as to why load-balancing
is a requirement. My experience has been that an appropriately-sized
single
firewall as part of a fail-over pair is more reliable and performs better
than a comparable load-balanced firewall.

I'd say that's really implementation specific. I can see why this would be the case, but that really depends on the actual solution.

unless you have a seperate device doing the load balancing you end up with the situation where the traffic arrives at firewall A that firewall B has the state info for (since there isn't any firewall I am aware of that will let you sync full state info in real time for any traffic loads high enough to actually need load balancing). When this situation takes place firewall A now needs to notice that the traffic should be on firewall B and forward the traffic to that box.

since a single firewall can saturate a gig ethernet line nowdays (even "slow" application proxy firewalls can do this easily per vendor specs, which indicates that they probably are close enough to doing so in real life that this is an issue), if you really need load balancing where do you get the bandwidth to do this?

David Lang

The only other firewall vendor I can think of that does (or at least
claims
to do) load-balancing is Symantec Enterprise Firewall. However, you may
also want to look at third-party load-balancing solutions like Radware
FireProof or Foundry ServerIron.

StoneSoft StoneGate has really neat clustering with dynamic re-distribution of load etc. They also used to do deliver load balancing solutions for Checkpoint for a long time.

-- Jan

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Networking question
    ... | services to the various PCs? ... Is this a firewall thing or DNS? ... Load balancing is generally given to the process is balancing out a ... However if its just a local network of computers in an office ...
    (Fedora)
  • Re: [fw-wiz] Info Request: Looking for alternatives in HA/Load balancingfirewalls that are also
    ... than a comparable load-balanced firewall. ... with the situation where the traffic arrives at firewall A that firewall B has the state info for (since there isn't any firewall I am aware of that will let you sync full state info in real time for any traffic loads high enough to actually need load balancing). ... to do) load-balancing is Symantec Enterprise Firewall. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall Load balancing solution
    ... The Nokia/Checkpoint VRRP solution works very well, ... > in a hot standby or load balancing configuration typically both get the ... > firewall solution this should be ... >> for checkpoint firewall and Cisco Pix firewall load balancing ...
    (Firewall-Wizards)
  • Re: [fw-wiz] External Load Balancing
    ... > from inside has a one in four chance of hitting a specific firewall. ... > We are beginning to look at load balancing the external side of our ... > network so that a packet from the outside has a one in four chance of ... And the other way is to make it so complicated that there are no obvious deficiencies. ...
    (Firewall-Wizards)
  • [fw-wiz] Watchguard V60 capacity
    ... We're using them to firewall a fairly active client with a ... "The load balancing server 0.0.0.0 is not responding". ...
    (Firewall-Wizards)