On Tue, Nov 02, 2004 at 08:55:24PM +0100, Raffaele D'Elia wrote:
(...)
I fail to see how this is a Debian-specific security issue, but I'll bite.
> Now the problem: I have only a cross-over cable from the router to the
> firewall, so I cannot connect the backup firewall.
> Using a switch is pointless: the switch may die too.
However, a switch/hub is maybe less prone to issues than the firewall
(depending on what are you using as your firewall platform). So, if you
actually don't trust the switch, why trust the router (which is also a
point of failure) or the proxy?
> Moreover I have a proxy in front of the lan, so I cannot connect 2
> firewalls even on the lan side.
If you want to be fully fault-tolerant you need two switches in the front
and two in the back. You'll get what it's commonly refered to as a
"firewall sandwich". Then you need to use some clustering software (like
the 'vrrpd' package available in Debian) to configure the firewall
failover. Vrrpd will only provide standby-failover (no active-active
cluster unless you use external load-balancing mechanisms)
RouterA---- SW1 ---- FWA ---- SW2 ---- Proxy A ---\
| | --- Internal LAN
RouterB --- SW3 ---- FWB ---- SW3 ---- Proxy B ---/
That covers all possible failures (Router, Switch, Firewall, Proxy or
even cable). Depending on how you configure it you might be able to sustain
multiple failures (a switch _and_ a firewall die at the same time...) as
long as they are not "crossed" (i.e. SW1 and FWB die at the same time)
If that's just too much hardware for you and the most unreliable point is
your firewall. Then you'll have to stick with:
____ FWA ___
Router -- Hub / \Hub --- Proxy ----- Internal LAN
\---- FWB ---/
Hubs are probably more resilient to failure that your firewalls, if you
don't go for the cheapest. You could probably have a backup Proxy
plugged in there too (to the same hub) with clustering software to serve as
a backup.
Regards
Javier
Attachment:
signature.asc
Description: Digital signature