don't forget the extra cost of the ethernet switches for each of the other
segments you need for the sandwitch.
there are a number of software HA packages that you can run on your
firewall to do the failover (and a few that will do load balancing as
well)
David Lang
On Wed, 23 May 2001, Smith, Steve wrote:
> Date: Wed, 23 May 2001 15:36:14 -0400
> From: "Smith, Steve" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: RE: Load Balancing/HA switches
>
>
> I've been kicking this idea around for a while as well. I wonder how
> much redundancy I get by loading 2-3 firewalls with a single FireProof
> switch. It seems to move the failure point a little further outward,
> that's all.
>
> Many vendors advocate a "Firewall Sandwich" to provide HA to a firewall.
> This means 2 load balancer/HA devices on the outside, and 2 load
> balancers/HA devices for each security zone. So a simple 3 zone
> (private, public, DMZ) firewall-cluster (let's say 2 firewalls) uses 6
> load balancer/HA devices. At $15,000 ($90,000 total) that's not cheap
> and I don't think I gain much in the way of redundancy in using this
> configuration. It adds considerable administration and upkeep to the
> design.
>
> It seems the only commercial FW product that has a MAC/IP fail over is
> FW-1. Not that I don't like FW-1 but it doesn't fit our organization
> very well. There's an annoying gap in FW technology in regard to
> redundancy. Actually that's not quite true, I can provide redundancy as
> long as I don't mind adding 5X the hardware and $$$$$. Frustrating but
> there's only so much I can get done in a 80 hour work week...
>
> >Does anyone care to share opinions about Radware's FireProof switches
> >versus the CSS 11000 line available from Cisco?
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
