[fw-wiz] Concentrator inside of paired failover firewalls.

Huelsbeck, Harry H. CTR harry.huelsbeck.CTR at jtc-i.jfcom.mil
Wed Sep 13 11:44:32 EDT 2006

Wow, lot's of quick responses!
I can tell you guys are thinking pretty much what my thoughts have been
so far, just wanted to see if I was crazy or something. I get a lot of
deer in the headlights looks sometimes.
Data path coming inbound would be something like: Router, Switch,
Firewalls External Burp(each firwall on a separate port on switch),
Firewall Internal Burps, Hub (a hub for each burp, dmz etc..., a cable
from both firewalls and associated burb to the same hub which
concentrates the two together), Router, Switch, etc... 
The hubs are also used as span points for the IDS sensors to be placed
and also some network instrumentation when needed. If replaced with a
switch we will only have one span port available to plug into. Not a big
issue, just put a hub on the span port, or play thru the IDS, but still
a factor in the end state.
I believe the thinking on replacing the hubs, is to get Gig connectivity
to the firewalls; although the hubs have never failed or caused
performance bottle necks etc... The firewalls will have Gig connectivity
with the new switch, which then plugs into a 100mb router, so the
perceived bottle neck just shifts a notch on the network.(The routers
could be next on the list to go gig I guess)
I think they want to put in a Cisco Gigabit 24 port switch, $$$$$$.
We've actually suggested instead of a switch for each burp, to run
V-Lans for each burp and pump all the v-lans into one switch from the
firewalls. This would only require 1 switch instead of one for each
burp. It would also allow flexability for creating temporary burps as
easy as creating another v-lan instead of adding another piece of gear. 

Yeh, I've always seen switches also and when I saw the NetGear hubs
running the whole thing here, kind of makes me nervous, but again they
haven't failed or caused problems so...... The network guys are looking
at putting in Cisco Gigabit switches. Yep, we have G2s running in HA,
but not load sharing, just running in fail over mode. Thanks for the
advice on checking the code version on the switches, it's on the list. 

Nothing between the firewalls but a crossover for heartbeat as you
described. The hubs are on the inside of the firewalls to concentrate
the data from them back together to a single data line to the router. 

 Another thought on this whole thing. It would be a better design (maybe
they already have) for the firewalls to be inline with each other for
this type of fail over setup. Basically have an external firewall
handling the traffic plugged into and playing thru an open firewall on
the inside that does nothing with the traffic. If the outside firewall
fails, it fails open and the internal secondary firewall begins handling
traffic instead. Then if the internal firewall fails, it fails closed,
unless the outside firewall is up, in which case it would fail open.  

Thanks again for your thoughts, Harry


-----Original Message-----
From: firewall-wizards-bounces at listserv.icsalabs.com
[mailto:firewall-wizards-bounces at listserv.icsalabs.com] On Behalf Of
Huelsbeck, Harry H. CTR
Sent: Tuesday, September 12, 2006 10:37 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Concentrator inside of paired failover firewalls.
Importance: Low

Looking at our network layout. We have two firewalls, a primary and a
secondary. The two firewalls go to a hub which concentrates the two
together to the inside network segnment. We plan on replacing the hub
with a switch, but I was wondering if there is a better/cheaper solution
to concentrate the 2 firewalls together? Seems like a lot of money to
waste, if another solution could be used. Please let me know what you
have used, or if you know of something better.
Thanks in advance for any inputs, Harry
firewall-wizards mailing list
firewall-wizards at listserv.icsalabs.com

More information about the firewall-wizards mailing list