Assymetric Routing / Statefull Inspection Firewall

• Previous message (by thread): Assymetric Routing / Statefull Inspection Firewall
• Next message (by thread): Assymetric Routing / Statefull Inspection Firewall
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I went to reply, but my e-mail client filled this in:

On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:

> <mime-attachment>

:)

Back on topic....

On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:

>             I am currently looking for a statefull inspection firewall 
> that support asymmetric routing – is there such a product? I cannot 
> imagine that I am the only person with redundant Internet 
> connectivity, that would like to put firewalls near the edge of our 
> network. Any thoughts / Suggestions would be greatly appreciated!

How can a firewall perform a "statefull inspection" of packets coming 
in when it did not see the packets going out (or vice versa)?

If you have two links and need redundancy, get two firewalls which NAT 
and have eat NAT IP only one provider.  As each packet goes out, it can 
only come back through the provider it left through, giving that 
firewall knowledge of both incoming and outgoing packets.

The firewalls will have to speak some type of routing protocol with 
your border routers, perhaps just listening to default.  If ISP1 dies, 
Firewall1 will either have to send packets out a different NAT 
interface, or perhaps through Firewall2.  And you'll have to make sure 
the border routers don't accidentally send NAT1 IP out ISP2's link.

But these are all solvable problems.  Getting a firewall to do stateful 
inspection of one-sided conversations is not.

-- 
TTFN,
patrick

• Previous message (by thread): Assymetric Routing / Statefull Inspection Firewall
• Next message (by thread): Assymetric Routing / Statefull Inspection Firewall
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]