Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Hardware HA solution advice needed

To: <[email protected]>
Subject: RE: [FW1] Hardware HA solution advice needed
From: "Mark Decker" <[email protected]>
Date: Thu, 8 Mar 2001 12:57:30 -0800
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: <[email protected]>
Sender: [email protected]

> I've been told by more than a few Cisco engineers that Cisco Content
> Switches will do HA and load balancing in lieu of a software
> solution for Checkpoint, but I've never met anyone who has even tested
> this. Content Switches would probably cost somewhat more than either
> Stonesoft or Rainfinity also.

While mainly intended for use with web and application servers, many
layer-7 switches can be used to provide HA and LB for FW-1 servers.  A
few of them like Foundry have even been OPSEC certfied for this purpose,
which means they are SecuRemote compatible.  Cisco is not among them,
but a list of certified vendors can be found at:
http://www.checkpoint.com/opsec/performance.html#HA_Load_Balancing.

The cost difference between SW and HW is actually quite large.  The
problem with HW is that you typically need numerous  switches for a
complete solution.  Consider this common deployment, where "LB"
represents a load balancing switch or appliance:

              DMZ
       -----------------
            |      |
 |          LB -- LB         |
 |          |      |         |
P|---LB---[FW]-----)----LB---|P
R|   |             |    |    |U
V|---LB----------[FW]---LB---|B
 |                           |
 |                           |

In this simple public/private/DMZ network design, a total of 6 switches
are needed (one redundant pair per subnet) to provide transparent
fail-over and load balancing for the firewalls, while avoiding any
single points of failure.  At an average cost of $8-12k per switch, the
total solution is over $48k.  As the number of directly-attached subnets
goes up, so does the cost.  An equivalent design using software HA/LB
would cost less than $14k, regardless of the number of subnets.  I'm
admittedly biased on this point, but IMHO hardware load balancers are
overkill for this application.  Software HA/LB is cheaper, easier to
deploy, and doesn't eat up rack space.

Just my two cents,

Mark L. Decker
Rainfinity
[email protected]
www.rainfinity.com================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] Hardware HA solution advice needed
  - From: "Thomas Holmstrom" <[email protected]>

Prev by Date: [FW1] Tripwire for Nokia
Next by Date: [FW1] HA configuration
Previous by thread: Re: [FW1] Hardware HA solution advice needed
Next by thread: Re: [FW1] Hardware HA solution advice needed
Index(es):
- Date
- Thread