Hello Everyone,
I am currently looking for a statefull inspection firewall that support asymmetric routing – is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated!
Thanks,
Mike
If you are asking for stateful filtering for a firewall that sees only
one-way conversation, it does not exist and cannot exist, by definition.
If you are asking for some way for firewall A that sees only inbound
packets and firewall B that sees only outbound packets to communicate said
information - I suggest mirror port on a switch.
Otherwise, as long as firewall sees both incoming and outgoing packets,
why would it care what happens later at your border routers?
I went to reply, but my e-mail client filled this in:
<mime-attachment>
Back on topic....
����������� I am currently looking for a statefull inspection firewall that support asymmetric routing � is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated!
How can a firewall perform a "statefull inspection" of packets coming in when it did not see the packets going out (or vice versa)?
If you have two links and need redundancy, get two firewalls which NAT and have eat NAT IP only one provider. As each packet goes out, it can only come back through the provider it left through, giving that firewall knowledge of both incoming and outgoing packets.
The firewalls will have to speak some type of routing protocol with your border routers, perhaps just listening to default. If ISP1 dies, Firewall1 will either have to send packets out a different NAT interface, or perhaps through Firewall2. And you'll have to make sure the border routers don't accidentally send NAT1 IP out ISP2's link.
But these are all solvable problems. Getting a firewall to do stateful inspection of one-sided conversations is not.
On a purely theoretical level, I'll disagree.
A stateful inspection firewall needs to know about the packets going in
one direction to do something intelligent with the packets going in one
direction. That does not mean the firewall needs to see all the packets,
just that it needs to know about them.
Systems for communicating information about flows and state between
firewalls exist. Cisco does this on the PIXes for redundant firewalls, so
that a fail-over can happen without connections being dropped. I assume
other firewall manufacturers do that in this context as well.
What would be needed in this case would be to have the firewalls at the
various different network entry points share information about connection
state with eachother. This sounds pretty easy, but whether the
information sharing would happen fast enough to process return traffic on
a new connection is a question I don't know the answer to. I don't know
if anybody is making firewalls that actually do this.
-Steve
Sounds like you are looking for an SI firewall that supports full load
balancing, not just high availability. FW-1 does this, there may be
others as well.
Keep in mind that you can run into connectivity issues if you have big
pipe connections. You end up in a situation where outbound packets can
cross one firewall and replies can hit the other before the state info
has had time to sync.
Beyond that, it should fit your need.
Chris