| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Nokia & ISP Load Balance
Hi Peter:
I'll stick to the familiar (what I think I know. :-)
>>(b) Is it a good idea.
My first impression is that it does not seem to be. I could be totally wrong (eg: YMMV!) , but to me these are the initial "why's":
1. Assuming both connections go to the same provider, you have no carrier diversity. (the easiest way to do your setup would be with the same provider and use statics I think..)
- I can't speak for anyone else, but having carrier diversity as well as POP and local loop diversity has saved my bacon more times than I can count. I'd be loath to go without it if connectivity is crucial. (and I assume it is if you're spending the $ on HA!)
2. If you use diverse carriers, you will need to have some kind of dynamic routing on the firewalls (most likely BGP4) I prefer to avoid this but it's a personal thing, not a "right/wrong" thing. You could also use an appliance like a Radware box, but then it becomes the SPF.. from your diagram I gather you're trying to get by with less gear, not more. I only run statics on my own gateways and turn off all dynamic routing.
- The inbound/outbound routing issue is also there - the firewalls have to sync their tables, and the paths to & from the remote location have to make sense to the state table. Running something like CEF (for example) can break the state table. (my connection out via provider A returns over provider B for ex..) If the routing is not consistant from connection to connection I'm not sure your firewalls will be able to sync their tables. This is another argument for an edge router to basically "hide" this functionality from the firewall. I hope that makes sense the way I'm trying to explain it.. I only bumped into this by trying to run CEF on my edge router once, which promptly broke my firewalls... :-)
3. I like having a bastion router "outside" the firewall as an extra layer to protect the firewall and the internal nets that much better. A small-medium Cisco with one of the FW IDS versions is pretty handy for this.
4. I like to to distribute critical functionality among different devices so I don't lose 2 key things at once during service or hard failure. (routing and firewalling in this case)
free thoughts worth what you paid!
cheers,
Joe
>>>My attemp at a diagram below will hopefully illustrate what I am talking
about.
2Mb Conneciton 1 2mb Connection 2
! !
! !
! !
****************** ****************
* Nokia 650 * * Nokia 650 *
****************** ****************
! !
! !
! !
====================================
Corporate LAN
====================================
I would be grateful for any pointers or suggestions about how I could
achieve
load balancing across the two links.
Best Regards, Peter.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
