| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] FW-1 state synchronization and VPN
- To: <[email protected]>
- Subject: [FW1] FW-1 state synchronization and VPN
- From: "Michael Liberte" <[email protected]>
- Date: Thu, 19 Jul 2001 10:18:59 +0200
- Sender: [email protected]
- Thread-index: AcEQKy/fZLCoinwpEdWVigCgyZIJ3w==
- Thread-topic: FW-1 state synchronization and VPN
Hi guys,
I have a rather theoretical question.
Firewall-1 supports clustering in it's newer versions, for HA and load
balancing. Many third-party vendors, such as Rainfinity, developed
products that make heavy use of the new features.
Clustering in CP FW-1 relies on state synchronization feature, when
cluster nodes copy their entire connection table to each other, every
50ms or so.
When VPN tunnels are involved, each gateway acts as an endpoint for a
particular tunnel. It involves key exchange, SA establishment, and so
on.
My question is whether this information is copied to other cluster
members as well. Essentially what I ask is if the standby gateway has
the identical set of keys, including the session key, and maintains the
identical set of SA's at any given moment. Or maybe the key exchange
must happen once again before the tunnel may failover to the backup
node.
If this information IS transferred during state synchronization, how
does the transfer happen? Is it secure at all to transfer key material
over a network medium?
Personally I think that in the case of node failure SAs must be
reestablished. However, someone from CheckPoint said that in v4.1 they
DO transmit session keys during state synchronization.
Maybe you guys can help me understand the situation.
Thanks in advance,
Michael.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
