High-Availability FW/VPN for Data Centers

Stephen Hope shope at ENERGIS-EIS.CO.UK
Thu Mar 15 14:27:10 EST 2001 

Joe,

declaration - i work for a reseller, so i am biased by that as well as by
what i have worked on - these opinions are mine, not my employers.

We have used the Nokia and Pix solutions in high availability mode as pure
firewalls. We have not mixed VPN in this environment, although a sister
company has for both boxe types.

My take is that both are good, fast firewalls.

Both support failover where existing connections are preserved.

On the Nokia we just use standard FW-1 and Nokia VRRP for resilience. The
resilience link is just Ethernet, so you can separate the 2 boxes into
different comms rooms, althoug you do need 100M, so you probably need to
stay in the same campus. The 2 Nokia boxes are basically just separate
instances of FW-1, so they exist at layer 3 and your route topology has to
worry about that.

Pix resilience has an Ethernet and a special serial cable, and that limits
you to same or adjacent racks - this was the deciding factor for 1
application. However, a resilient pair of PIXen act like a single logical
box (apart from VPN keys and stuff), so may simplify your design. 1 pix is
active and 1 acting as standby at any one time.

For the VPN stuff, "resilience" is a bit harder - it depends if you want a
backup path, dual paths and so on.

If you want resilience then you are going to need to run a routing protocol
over the VPN to maintain the paths. Issues here are what happens during
transient effects on the network, vs how fast everything must react to a
fault. I would not want to run a link state protocol like OSPF for this
application - however static routes are likely to be difficult to maintain
in this type of design.

Finally, yoou need a resilient connection to the clean and dirty sides of
the network, and have to worry about route interaction for the Internet,
clean network and the VPN

The biggest issue i have come across, (but not had to deal with in anger) is
clearing down tunnel / security associations for backup links during
failover or hardware reboot - you need to test whatever you are going to use
on a bench, to make sure it recovers in a reasonable time and without manual
intervention.

Good luck, and let us know where you end up.

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Joe Ippolito [mailto:joe at JOESNET.COM]
> Sent: 12 March 2001 15:30
> To: VPN at SECURITYFOCUS.COM
> Subject: High-Availability FW/VPN for Data Centers
>
>
> We have successfully deployed a primarily VPN-based WAN
> connecting 59-sites
> in a very large manufacturing company.  The push now is to move
> line-of-business applications to three data centers, one in
> the US, one in
> Europe and one in Asia.  The data centers will have multiple
> T3/E3 circuits
> to two major providers.  We wish to change the FW/VPN platform that we
> currently use due an occasional NDIS buffer overflow problem
> that requires a
> re-boot.  Hardware for almost all of our firewalls is aging
> and is due for
> refresh.
>
> Some of the requirements are:
>
> Secure Internet firewalls.
> High availability - a single hardware failure cannot cause a loss of
> connectivity.
> High throughput - up to 90 Mbits/sec of IPSec 3DES encryption.
> Global management - A single database of network definitions,
> rulebases, etc
> for over 100 firewalls/VPN devices.
>
> Desirable:
>
> Quality of service so that the transfer of very large CAD
> files to/from data
> centers cannot easily slow down time-sensitive ERP
> interactive sessions.
>
> Products currently being considered:
>
> Firewall-1/VPN-1 CP HA on Linux and Provider-10
> Nokia Fw1/VPN1, VRRP and Provider-10
> Cisco Pix and CSPM
> MS ISA, Win 2K L2TP/IPSec, NLB, MMC
>
> I do not give the fourth option much chance due to low a
> level of experience
> but, pricing makes it an alternative that I would like to keep in the
> analysis for reference.
>
> I would like to get your opinions on the options I have
> described above for
> my initial presentation to my management.
>
> Thank you in advance for your valued input.
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list