firewall sandwich load balancing (fwd)

[Roberto Nibali]

> the traffic out from the firewalls through the load balancers and 
> routers to the Internet doesn't need to be touched, however if the 
> servers initiate traffic out to the Internet through the firewalls the 
> inside boxes need to load balance across the firewalls (and the outside 
> boxes handle the reply packets appropriately) the same way the outside 
> boxes need to load balance and the inside boxes handle reply packets 
> appropriately for inbound traffic.

Of course, I wasn't thinking very clearly.

>> ... at least for a session. Which might put you into the suboptimal 
>> position of the different session timing expiration regarding TCP 
>> sessions between what the LB thinks is a session and what the PF 
>> thinks is a session.
> 
> as long as the timeouts are long enough that we are willing to chop off 
> connections that are idle past that value it should work (both firewalls 
> and load balancers need to have timeouts, if they just get set to the 
> same thing you don't have much trouble in practice)

Fair enough.

>> And they also do not work correctly, as I've seen in numerous ways. 
>> Just right now I'm debugging an active/hotstandby firewall cluster 
>> system implemented using 2208 NAS from Nortel. Same issue with F5 from 
>> BigIP, although their session synchronisation is somewhat improved ... 
>> until you go up to 1Gbit/s of filtering. I've never used radware, and 
>> I reckon we don't have to talk about Cisco :).
> 
> they can be problems, but they can work, I've used them (with radware) 
> for several years with different types of firewalls.

Ok.

>> Are you talking about a setup as described for example in chapter 19 
>> of this:
>>
>> http://www116.nortelnetworks.com/docs/bvdoc/alteon/appl_switch/315394-J.00.pdf 
>> 
> looking this up now...
> I can't follow the link. I'll have to dig through the site to try and 
> find it.

Try this one:

http://tinyurl.com/e54yy

>>> I am trying to find an option that doesn't have the firewall being a 
>>> single point of failure. yes, if these were linux firewalls I could 
>>> use heartbeat (linux-ha) to provide failover, but that can't load 
>>> balance, and it doesn't work if I use commercial firewalls instead of 
>>> linux
>>
>> If you buy a commercial firewall, you will most probably have some 
>> sort of built-in failover.
> 
> there are a couple huge advantages of not useing the built-in failover 
> for commercial firewalls
> 
> 1. with external boxes you can have firewalls of different types that 
> you failover/load balance between (avoiding vendor lock-in and you have 
> a much easier time dealing with major upgrades of a single vendors 
> firewalls)

I don't understand the term "vendor lock-in". The way I sometimes deal 
with major upgrades in business critical environments is to have a 
pilot/test network setup up as equal to the existing as possible. Then 
either retransmit some captured traffic for point-testing or using 
port-mirroring to test the upgrade. The upgrade process itself can 
easily be tested in such a setup. This works perfect with Raptor/Axent 
firewalls or Checkpoint or our firewall.

> 2. with external boxes you avoid the situation where traffic arrives at 
> one firewall and needs to be sent back out the wire to the other 
> firewall (not a problem for low traffic levels, but as you traffic 
> levels appraoch wire speed it becomes a problem)

:) I know exactly what you're talking about. I've been doing high speed 
packet filtering at wire or even bus speed for over 10 years now.

>> If back then it didn't support it, I would go as far as to stating 
>> that it is not possible now either. I would say that all attempts to 
>> load balance firewalls (be it based on commercial or OSS) using LVS 
>> ends up being a hackerish setup which is prone to weird failures or 
>> features. This is just my opinion, but then again I've intensively 
>> worked on the LVS code and also wrote a packet filter :).
> 
> If LVS decides that this isn't worth supporting, then so be it, but it 
> does work with the commercial offerings so please don't pretend that 
> it's not possible. (Radware has an entire product line, their 
> 'fireproof' boxes that are sold for doing nothing but this task)

My apologies to you and to Radware. I stand corrected. My problems lie 
in either my misunderstanding of how to properly configure BigIP or 
Nortel LBs or in my corner case deployment. Either way, my previous 
statement was somewhat unprofessional.

Thanks for the interesting discussion and sorry for wasting your time 
without giving you a workable solution,

Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc