Re: firewall cluster

Hi,

I was thinking about installing one linux and one OpenBSD configured with HA in active-passive mode. I have experience in Linux but not in OpenBSD.
The sincronization between rules, can be achieved by FwBuilder, building one politic file, and generating two outputs one for BSD filter, and one for Linux netfilter.

In summary:

1 Cluster with different OS:
----------------------------

More complex in order to install, configure and maintain.
It's more secure in case of bugs that affect one OS but not the other.
There are still vulnerabilities that can be applied to both.

1 Cluster same OS:
------------------

Easier to install, configure and maintain.
If a bug can drop one firewall, can drop the other.

2 Cluster with different OS in two-tier firewall solution:
----------------------------------------------------------

More Hardware Cost.
More secure.
You can have a DMZ if you want to.
More rule complexity, so you have more complex network configuration, not only Internet vs Intranet.
If a bug affects one firewall cluster, you keep the other cluster working. But you need some automatic mecanism to change routing and "bypass" the failed cluster.

Perhaps the last one is the better solution, with some automatic method in case if one cluster fails, the network will keep working.
Other security recomendations: Install an IDP just after firewall clusters.
Thanks for your responses,

Sandra

On 3/27/07, sandra <sandra@xxxxxxxxxxx> wrote:
Hello,

We want to set up a cluster of two firewalls with heartbeat. It will be an active-passive
cluster, so if main firewall fails, secondary firewall would become active.
We think that, although they are a cluster, they should have different Operating Systems
(for example linux and BSD), so if a vulnerability has impact in our main firewall and
drops it, the second firewall will start to serve without the same vulnerability affecting it.
Do you think is a good idea or is better to have two identical firewalls for compatibility
issues?
Which combination of Operating Systems do you recommend?
Thanks,

Sandra



Relevant Pages

  • Re: How safe Am I? tpf,hardware fw,socks,etc
    ... My guess is Linux will be mainstream someday and it is extremely stable ... because you didn't install patches or RTFM? ... > hard- ware firewall. ... however the operating system is much stabler than Windoze and you will ...
    (comp.security.firewalls)
  • Re: Firewall Unbreakable?
    ... no. There's no such thing as an unbreakable firewall. ... > I'd like the ADSL router to forward all ports to my linux server. ... an ADSL install for one of my clients and all I got was the ADSL modem. ...
    (comp.os.linux.security)
  • [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
    ... interactivity. ... main reason why it has not been done is because the focus of Linux ... should in any case not have normal users working on a firewall. ... to get the level of access to your system to install a rootkit, ...
    (SuSE)
  • Re: install ipcop
    ... >> I have an old p100 and wonder if I can install ipcop on it? ... Ethernet-HOWTO from the Linux Documentation Project. ... IP-Cop is a Linux firewall, ... stations, because it lacks the disk and memory space for a compiler), ...
    (comp.security.firewalls)
  • Re: CPU speed for Linux Firewall/NAT solution
    ... minimal install for just firewall. ... They do not run a web server at this location but I wouldn't expect ... Linux era1.eracc.UUCP 2.4.19-16mdk i686 ...
    (comp.os.linux.security)