Kevin,
Yes, it is possible to use load-balancing switches to achieve firewall
High-Availability. Basically, you put a pair of them between the firewalls
and each subnet that firewals are connected to. In the typical 3-way
Public/Private/DMZ scenario, you need at least 6 switches and at least 2
firewalls. As you can imagine, this solution can get to be rather
expensive.
First, let me admit that I'm biased against such solutions, since my company
makes Rainwall, one of the leading software-based HA solutions for FW-1.
That said, I think the only advantage is that an external hardware solution
doesn't put any additional load on the firewall itself. Some software-based
solutions tax the CPU and/or NIC of the firewall because of the way they
accomplish HA. However, with Rainwall, this overhead is negligible
(typically less than 2%). The performance advantages of our clustering
solution easily outweigh any load Rainwall puts on the individual firewalls
in the cluster.
I think the hardware solution mainly appeals to people who are using such
devices to do HA/LB for other devices in their network, such as the web
servers. For them, they're already familiar with Alteon, for example, and
extending that model to the firewall is a logical extension. They don't
want to have one solution for web HA/LB, and a different solution for
firewall HA/LB.
Until recently, appliance/switches were the only "single-source" solution
that could do both web and FW load balancing. Now, a cheaper and more
elegant software-based option is emerging. For details, see
http://www.rainfinity.com/products/rainfront_whitepaper.pdf.
Mark L. Decker
Rainfinity
[EMAIL PROTECTED]
408-382-4870
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kevin
Lundy
Sent: Thursday, August 31, 2000 8:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [FW1] Firewalls & Web Switches (Alteon)
Please excuse my ignorance here. I've never had to design a HA/LB
environment, but I see it in our distant future. So I have been following
this thread as an educational tool.
Is everyone suggesting that you can use switches on either side of the
firewall to achieve HA/LB of the firewall, rather than a dedicated firewall
solution (eg Stonebeat, etc)? If so, what are the advantages?
-----Original Message-----
From: Mark Decker [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 28, 2000 7:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [FW1] Firewalls & Web Switches (Alteon)
For web-server load-balancing, most people put the switch between the
firewall(s) and the web-servers (or as Ritesh said, behind the FW). If you
also want firewall load-balancing, you can put another one in front of the
firewalls. Note that a single switch can become another point of failure.
People who need high availability have typically deployed such devices in
pairs to address this problem. For a typical HA/LB setup, a minimum of 4
switches (one pair for each subnet) are required.
Mark L. Decker
Rainfinity
[EMAIL PROTECTED]
408-382-4870
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ritesh
Rekhi
Sent: Monday, August 28, 2000 2:00 PM
To: 'Tom Sevy'; Check Point FW List (E-mail)
Subject: RE: [FW1] Firewalls & Web Switches (Alteon)
Hi Tom,
We are using FW-1 and alteon in one setup.What i think is that
you should put alteon switch behind the firewall.
regd's
Ritesh
-----Original Message-----
From: Tom Sevy [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 28, 2000 12:30 PM
To: Check Point FW List (E-mail)
Subject: [FW1] Firewalls & Web Switches (Alteon)
Has anyone used Alteon Web Switches (180 series) along with FW-1?
If so, how does the perimeter of your network look? Did you put the
Switch(es) outside of the firewall(s)?
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
