David Lang schrieb:

> On Sat, 8 Apr 2006, Jan Tietze wrote:
>> On Fri, 7 Apr 2006 16:06:42 -0400, "Paul Melson"
>> wrote:
>>> Sounds like a big firewall. I'm curious, though, as to why
>>> load-balancing
>>> is a requirement. My experience has been that an appropriately-sized
>>> single
>>> firewall as part of a fail-over pair is more reliable and performs
>>> better
>>> than a comparable load-balanced firewall.

>> I'd say that's really implementation specific. I can see why this
>> would be the case, but that really depends on the actual solution.


I was actually thinking more about reliability (because even though poor
active-active clustering capabilities are common, this doesn't mean that
active-active clusters per se don't work well; it might just mean that
people buy poor implementations) than performance (because it is
possible to scale almost linearly in my experience) when I made that
comment; however in my experience it is valid for performance as well.

> unless you have a seperate device doing the load balancing you end up
> with the situation where the traffic arrives at firewall A that
> firewall B has the state info for (since there isn't any firewall I am
> aware of that will let you sync full state info in real time for any
> traffic loads high enough to actually need load balancing). When this
> situation takes place firewall A now needs to notice that the traffic
> should be on firewall B and forward the traffic to that box.

Or you can have the traffic flushed to all nodes of the cluster
simultaneously by the switches in front of it; think multicast. The
firewalls could distribute new connections to nodes based on a hash
function over some part of the IP headers, thus eliminating the need for
immediate state table change sync, then replicate slowly, like every 50
ms, usually over a dedicated heartbeat channel, the updates to their
state tables and redistribution of processing load. This is one mode of
operating the product I mentioned.

> since a single firewall can saturate a gig ethernet line nowdays (even
> "slow" application proxy firewalls can do this easily per vendor
> specs, which indicates that they probably are close enough to doing so
> in real life that this is an issue), if you really need load balancing
> where do you get the bandwidth to do this?

Using this approach you don't need to redistribute traffic; you just
have another node process the traffic, but it continues to arrive at all

> David Lang
>>> The only other firewall vendor I can think of that does (or at least
>>> claims
>>> to do) load-balancing is Symantec Enterprise Firewall. However, you
>>> may
>>> also want to look at third-party load-balancing solutions like Radware
>>> FireProof or Foundry ServerIron.

>> StoneSoft StoneGate has really neat clustering with dynamic
>> re-distribution of load etc. They also used to do deliver load
>> balancing solutions for Checkpoint for a long time.


-- Jan
firewall-wizards mailing list