Assymetric Routing / Statefull Inspection Firewall

2004-03-16 Thread Mike Turner 








Hello Everyone,

 

    I am
currently looking for a statefull inspection firewall
that support asymmetric routing – is there such a product? I cannot
imagine that I am the only person with redundant Internet connectivity,
that would like to put firewalls near the edge of our network. Any
thoughts / Suggestions would be greatly appreciated!

 

Thanks,

 

Mike

Re: Assymetric Routing / Statefull Inspection Firewall

2004-03-16 Thread alex 

If you are asking for stateful filtering for a firewall that sees only
one-way conversation, it does not exist and cannot exist, by definition.

If you are asking for some way for firewall A that sees only inbound 
packets and firewall B that sees only outbound packets to communicate said 
information - I suggest mirror port on a switch.

Otherwise, as long as firewall sees both incoming and outgoing packets, 
why would it care what happens later at your border routers?

--
Alex Pilosov| DSL, Colocation, Hosting Services
President   | [EMAIL PROTECTED](800) 710-7031
Pilosoft, Inc.  | http://www.pilosoft.com

On Tue, 16 Mar 2004, Mike Turner wrote:

> Hello Everyone,
>  
> I am currently looking for a statefull inspection firewall
> that support asymmetric routing - is there such a product? I cannot
> imagine that I am the only person with redundant Internet connectivity,
> that would like to put firewalls near the edge of our network. Any
> thoughts / Suggestions would be greatly appreciated!
>  
> Thanks,
>  
> Mike
>

Re: Assymetric Routing / Statefull Inspection Firewall

2004-03-16 Thread Patrick W . Gilmore 
I went to reply, but my e-mail client filled this in:

On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:


:)

Back on topic

On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:

    I am currently looking for a statefull inspection firewall 
that support asymmetric routing – is there such a product? I cannot 
imagine that I am the only person with redundant Internet 
connectivity, that would like to put firewalls near the edge of our 
network. Any thoughts / Suggestions would be greatly appreciated!
How can a firewall perform a "statefull inspection" of packets coming 
in when it did not see the packets going out (or vice versa)?

If you have two links and need redundancy, get two firewalls which NAT 
and have eat NAT IP only one provider.  As each packet goes out, it can 
only come back through the provider it left through, giving that 
firewall knowledge of both incoming and outgoing packets.

The firewalls will have to speak some type of routing protocol with 
your border routers, perhaps just listening to default.  If ISP1 dies, 
Firewall1 will either have to send packets out a different NAT 
interface, or perhaps through Firewall2.  And you'll have to make sure 
the border routers don't accidentally send NAT1 IP out ISP2's link.

But these are all solvable problems.  Getting a firewall to do stateful 
inspection of one-sided conversations is not.

--
TTFN,
patrick

Re: Assymetric Routing / Statefull Inspection Firewall

2004-03-17 Thread Steve Gibbard 

On Tue, 16 Mar 2004 [EMAIL PROTECTED] wrote:

> If you are asking for stateful filtering for a firewall that sees only
> one-way conversation, it does not exist and cannot exist, by definition.

On a purely theoretical level, I'll disagree.

A stateful inspection firewall needs to know about the packets going in
one direction to do something intelligent with the packets going in one
direction.  That does not mean the firewall needs to see all the packets,
just that it needs to know about them.

Systems for communicating information about flows and state between
firewalls exist.  Cisco does this on the PIXes for redundant firewalls, so
that a fail-over can happen without connections being dropped.  I assume
other firewall manufacturers do that in this context as well.

What would be needed in this case would be to have the firewalls at the
various different network entry points share information about connection
state with eachother.  This sounds pretty easy, but whether the
information sharing would happen fast enough to process return traffic on
a new connection is a question I don't know the answer to.  I don't know
if anybody is making firewalls that actually do this.

-Steve

Re: Assymetric Routing / Statefull Inspection Firewall

2004-03-17 Thread Chris Brenton 

On Tue, 2004-03-16 at 21:27, Mike Turner wrote:
>
> I am currently looking for a statefull inspection firewall
> that support asymmetric routing – is there such a product?

Sounds like you are looking for an SI firewall that supports full load
balancing, not just high availability. FW-1 does this, there may be
others as well.

Keep in mind that you can run into connectivity issues if you have big
pipe connections. You end up in a situation where outbound packets can
cross one firewall and replies can hit the other before the state info
has had time to sync. 

Beyond that, it should fit your need.
Chris