|
the traffic out from the firewalls through the load balancers and
routers to the Internet doesn't need to be touched, however if the
servers initiate traffic out to the Internet through the firewalls the
inside boxes need to load balance across the firewalls (and the outside
boxes handle the reply packets appropriately) the same way the outside
boxes need to load balance and the inside boxes handle reply packets
appropriately for inbound traffic.
Of course, I wasn't thinking very clearly.
... at least for a session. Which might put you into the suboptimal
position of the different session timing expiration regarding TCP
sessions between what the LB thinks is a session and what the PF
thinks is a session.
as long as the timeouts are long enough that we are willing to chop off
connections that are idle past that value it should work (both firewalls
and load balancers need to have timeouts, if they just get set to the
same thing you don't have much trouble in practice)
Fair enough.
And they also do not work correctly, as I've seen in numerous ways.
Just right now I'm debugging an active/hotstandby firewall cluster
system implemented using 2208 NAS from Nortel. Same issue with F5 from
BigIP, although their session synchronisation is somewhat improved ...
until you go up to 1Gbit/s of filtering. I've never used radware, and
I reckon we don't have to talk about Cisco :).
they can be problems, but they can work, I've used them (with radware)
for several years with different types of firewalls.
Ok.
Are you talking about a setup as described for example in chapter 19
of this:
http://www116.nortelnetworks.com/docs/bvdoc/alteon/appl_switch/315394-J.00.pdf
looking this up now...
I can't follow the link. I'll have to dig through the site to try and
find it.
Try this one:
http://tinyurl.com/e54yy
I am trying to find an option that doesn't have the firewall being a
single point of failure. yes, if these were linux firewalls I could
use heartbeat (linux-ha) to provide failover, but that can't load
balance, and it doesn't work if I use commercial firewalls instead of
linux
If you buy a commercial firewall, you will most probably have some
sort of built-in failover.
there are a couple huge advantages of not useing the built-in failover
for commercial firewalls
1. with external boxes you can have firewalls of different types that
you failover/load balance between (avoiding vendor lock-in and you have
a much easier time dealing with major upgrades of a single vendors
firewalls)
I don't understand the term "vendor lock-in". The way I sometimes deal
with major upgrades in business critical environments is to have a
pilot/test network setup up as equal to the existing as possible. Then
either retransmit some captured traffic for point-testing or using
port-mirroring to test the upgrade. The upgrade process itself can
easily be tested in such a setup. This works perfect with Raptor/Axent
firewalls or Checkpoint or our firewall.
2. with external boxes you avoid the situation where traffic arrives at
one firewall and needs to be sent back out the wire to the other
firewall (not a problem for low traffic levels, but as you traffic
levels appraoch wire speed it becomes a problem)
:) I know exactly what you're talking about. I've been doing high speed
packet filtering at wire or even bus speed for over 10 years now.
If back then it didn't support it, I would go as far as to stating
that it is not possible now either. I would say that all attempts to
load balance firewalls (be it based on commercial or OSS) using LVS
ends up being a hackerish setup which is prone to weird failures or
features. This is just my opinion, but then again I've intensively
worked on the LVS code and also wrote a packet filter :).
If LVS decides that this isn't worth supporting, then so be it, but it
does work with the commercial offerings so please don't pretend that
it's not possible. (Radware has an entire product line, their
'fireproof' boxes that are sold for doing nothing but this task)
My apologies to you and to Radware. I stand corrected. My problems lie
in either my misunderstanding of how to properly configure BigIP or
Nortel LBs or in my corner case deployment. Either way, my previous
statement was somewhat unprofessional.
Thanks for the interesting discussion and sorry for wasting your time
without giving you a workable solution,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
