Re: [fw-wiz] Firewall bake-off?

Hi, all!

On Wed, Mar 21, 2007 at 09:59:03AM -0700, Jim MacLeod wrote:
On 3/20/07, Zachary Grafton <chaotic.chowder@xxxxxxxxx> wrote:
Well, the greatest thing about the sidewinder is how easy it is to
configure things. It does have clustering and nice failover features,
which are in my opinion, extremely important. If you are worried about
performance with a Sidewinder, just buy another one and cluster them.

Does it support active-active load splitting? Or do you need an
external load balancer for that? How destructive is the transition
when one fails? How extensive is the state sync? Will it scale to
n+1, or is it limited to 2 firewalls?

Active-active with 2 units. Needs external load balancer for N > 2.
But facilitates policy configuration by "one-to-many" cluster mode,
i.e. you configure policy once for N firewalls.

Beware: active-active uses layer 2 multicast - which may be an issue if
your Internet uplink, is, say, 34 M and you have servers directly behind
or in front of the firewall on a 100 Mbit/s LAN. Your switches will
broadcast all traffic to the firewalls to all ports in the same collision
domain. Layer 3 separation of DMZ LANs recommended.

Patrick M. Hausen
-- GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: Jürgen Egeling AG Mannheim 108285
firewall-wizards mailing list

Relevant Pages

  • Re: Uptime vrs. security policy (Was: Re: Sun Solaris login bug patches out)
    ... A tightly clustered system (using Sun Clustering, VCS, etc., as oppo ... > to a loosely "clustered" group of machines managed via load balancers, extern ... Sites that do have firewalls don't normally firewall servers within ...
  • Re: Defense in Depth
    ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
  • Re: Firewalls: whats the use?
    ... We are thinking obviously of different firewalls here. ... machine network and an untrusted network. ... they are a separate tool that can be used to control what people ... have access to based on a SEPARATE OSI Layer. ...
  • Re: Layer 7 firewall Vs Stateful packet inspection firewall
    ... CheckPoint provides ... or 4th (TCP/IP) layer depending upon the model we're referring to. ... >> For simplistic discussion there are two primary types of firewalls. ...
  • RE: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name
    ... Things that are really signature ... policy based firewalls not being capable of providing the sorts of security ... As with other aspects of security; Defense In Depth should be a cardinal ... Yes I know that this is the Application Layer gateway model, ...