In response to load balancing Gauntlet, I was talking with a NAI rep at The Internet Security Conference and he gave me a copy of a white paper on load balancing Gauntlet Firewalls. To summarize, Network Associates recommends that you use Big/IP for firewall load balancing. I have used Big/IP to load balance web servers, but never got around to applying that technology to firewalls. The only gotcha that I can remember is when the primary Big/IP device failed and the secondary took over, we had to manually refresh the downstream routers ARP tables to direct all traffic to the secondary box. It does fail over, but not as clean as we were let on. If I were looking for another appliance for load balancing, they would probably be added to the list. I would agree with Chris, that the session state would be lost in the event of an outage. Proxies would need to refresh all connection through the failover device. Kevin -----Original Message----- From: Chris Shenton [mailto:cshentonat_private] Sent: Thursday, September 30, 1999 1:17 PM To: Cleaver, Richard J Cc: firewall-wizardsat_private Subject: Re: BigIP controller - any issues? On Thu, 30 Sep 1999 11:25:06 +0100, "Cleaver, Richard J" <Richard.Cleaverat_private> said: Cleaver,> I have been asked to investigate the effect of implementing Cleaver,> the BigIP Controller from F5 networks. It has been proposed Cleaver,> to place this device (of which I have no experience) on the Cleaver,> dirty side of internet facing firewalls to achieve firewall Cleaver,> load balancing. Does anyone know of any security issues with Cleaver,> this device? It's a UNIX box under the covers, BSDI. They seem to have done a good job of locking it down and are ssh-aware. Tho I was surprised to see they had IP forwarding enabled so I could route right through it. You'll need two, if you're interested in fault-tolerance -- which is why you're getting the BIG/ip in the first place I expect. For what they do, I think they're a bit pricey. RND has a "fireproof" product which does this, but I've grown to loathe their interface for normal load balancers, and their tech support (human and online) leaves a lot to be desired. Foundry has very cost-effective balancing switches which can be done as dual redundant pairs and I've found their humans quite responsive; only have a little hands on with this product though -- talk to them to see if they'll satisfy your application. I don't think any of the classic balancers can recover a session's state if the firewall it's using dies. There are a couple vendors who sell solutions specific to CheckPoint Firewall-1 but I'm unaware of fault-tolerant solutions for Gauntlet. We're planning on doing it with dynamic routing with our routers and back-end servers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:08 PDT