RE: Meshing firewalls
>So, the reason for posting: has anyone here done anything like this, or
>have alternative ideas about how it could be set up? Does my plan make
>sense? Is there a way to set this up without requiring 6 ethernet cards
It looks to me like a pretty standard fully redundant setup to me :)
The things you may want to make different and things you have to
use only one physical interface on the internal side of each firewall
and use vlans over it to a an internal switch. Connect hosts from
different subnets to different vlans. (this one depends on your policy
for keeping separate trust zones on separate hardware)
you probably don't need the connection between the 2 DMZ switches, so
is the link between the two firewalls.
you haven't thought of the layer 3 implications of the redundant
setup.you may need to have 2 or even 4 subnets in the DMZ or use layer3
switches and a routing protocol. Or you can do bridging between
in-facing interfaces on the border routers and use a single ip address
on each border. I think that the easier (in case you don't have l3
switches) would be to use 2 subnets - one for the left dmz switch and
another for the right. each firewall will have one address of each
subnet. Don't connect the DMZ switches to one another. And run a routing
protocol between the firewalls and the borders.
how will you detect a failure of an internal switch or firewall nic ?
how will you react to such a failure?
If you plan to use connection tracking you will have issues with
asymetric routing (that is traffic from A to B goes through firewall 1
and trafiic from B to A back through firewall 2). To handle this you
need to have only one active path to and from each stub hosts subnet.
Imagine that Firewall 1 is the master firewall, the other is standby (it
does not pass any traffic).Imagine that the link between firewall 1 and
internal switch 1 failes for some reason (NIC, cable, switch port,
misconfiguration). Now the only possible way in and out of stub subnet 1
is through firewall 2. This has to reflect the routing on border routers
(or, not recomended between firewalls).
If you use Layer3 internal switches you may make the same setup as
between borders and firewalls. Just make a layer 3 uplink and run a
routing protocol between the firewalls and the switches.
Consider the use of VRRP (with vrrpd) or Linux High Availability
(www.linux-ha.org) heartbeat deamon on internal interfaces.
>Did I make an enormous blunder and should now retreat back under a
Nope. Nothing scary here. The firewall vendors even have a protocol for
exchanging the state tables between firewalls so that when one firewall
fails the other kicks in without even one tcp session dropped.
Boyan Krosnov, CCIE#8701
just another techie speaking for himself