I, too, have been curious about this aspect of HA. If you have a firewall product that tracks continuous session information like Sequence numbers, on a heavily loaded FW doesn't the synchronization of the session table to the standby machine cause considerable performance issues? That is, tracking every state of every packet for 200,000 sessions and pushing it to a standby machine and expecting it flawlessly transition during a failover seems a bit overwhelming for a FW to handle. It also seems that during a failure, it is possible that packets could get lost in the firewall and the synchro of the session couldn't occur properly anyway. Also, if the HA solution does keep state, but not of the sequence numbers, isn't the risk of session hijacking greater?
Are there any FWs out there that can keep session and track Sequence and securely transition? erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hiemstra, Brenno Sent: Friday, February 01, 2002 4:04 AM To: 'Don Ng'; [EMAIL PROTECTED] Subject: RE: Statefull failover in High Availabilty /clustering firewalls Don... <..snip..> 1.0 From a security viewpoint would stateful failover of firewalls be a plus or minus. <..snip..> Checkpoint firewalls do state synchronisation between the firewall cluster nodes. If one of the cluster members goes down then the other firewall(s) take over the communication. There is no reason you need to re-establish the connection again. If state synching works like it does the connection shouldnt be dropped. Checkpoint also have statefull inspection (lets not discuss its REAL statefull inspection). Which means that is the firewall didnt receive a SYN packet for a TCP session and you send an SYN/ACK or ACK packet the firewall will drop it as an "Unestablished TCP packet". Checkpoint doesnt keep state on the sequence numbers... but only IP addresses arent enough to get in the state table of Firewall 1. You can also look at Stonebeat as an addition to your Checkpoint firewall 1 cluster. Stonebeat adds load balancing and load sharing between all the nodes. Which you can also run your firewall cluster in an Active - Active setup. <..snip..> 2.0 Is it that difficult to ensure that the DB be consistent without depending on external devices, I mean this would involve greater resources on commits, precommits etc. <..snip..> WHAT ???? <..snip..> 3.0 What is the probability of an attacker being able to trigger a stateful failover and taking advantages of this. <..snip..> The only thing an attacker gains with it that communication with your, for example, DMZ is disturbed. There shouldnt be a possible to bypass or inject a communication... otherwise this would be a serious sec hole in the checkpoint firewall 1 product. Good luck ! Regards, Brenno > -----Original Message----- > From: Don Ng [SMTP:[EMAIL PROTECTED]] > Sent: donderdag 31 januari 2002 14:29 > To: [EMAIL PROTECTED] > Subject: Statefull failover in High Availabilty /clustering firewalls > > Hi all, Checkpoint firewalls have intrinsic load balancing capabilities, > and they have stateful failovers between the active and standby firewalls. > Meaning in this case there would be no need for the client to re > establish the connection via the 3 way handshake. > > So when packets arrive at the firewall with non expected sequence > numbers, they are still let through as long as the ip address are ok? > <no hands on on checkpoint, based on literature> > > I have come across clients that state their primary worries was the > integrity of the databases in > opting for this solution. As they fear a situation in where a firewall > goes down and a transaction is lost, > especially for financial transactions. > > My question is. > 1.0 From a security viewpoint would stateful failover of firewalls be a > plus or minus. > 2.0 Is it that difficult to ensure that the DB be consistent without > depending on external devices, I mean this would involve > greater resources on commits, precommits etc. > 3.0 What is the probability of an attacker being able to trigger a > stateful failover and taking advantages of this. > > Nothing too heated please. > > Thanks and regards > Don Ng _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
