Re: [FW-1] Two ISP & a Firewall

[Joe Pampel <joe@FW1-NOSPAMARDSLEY.COM>]

fwiw
I'm old fashioned, so I let the routers do routing, let the fw do fw
stuff. That said..
What we did here for our main office was a pair of Cisco's on the edge
running a FW version of the IOS first.
(you can never have too much protection..!) They each take a T1 from
diverse providers (we run BGP) and then run iBGP with each other for
a measure of load balancing - while one router is the "up" router in an
HSRP pair, if each router knows the others
BGP info, a packet that is better served by the 2nd router will go to
the VIP address on the 1st router first, and then
move on to the 2nd router to head out. Otherwise all your traffic goes
out the active router.. which may also be what you
want..
 If you are going to get multiple T's, try and make sure that they are
not only from
different carriers, but do not share loop providers or CO's. Keep them
as diverse as possible. Try to have them
come in on different media if possible (one of mine comes in on fiber,
the other on copper)

Behind the routers  is a firewall cluster. Routing stays simple bc the
routers have a single VIP courtesy of
HSRP, the firewalls do as well courtesy of Rainwall. I can scale up
more FW's or more routers live and make
very few changes to the config.  So there is a single default route out
of the network and static routes are
all the firewalls need.

>>1. if i want to two isp for link redundent(High Availability) for
incoming & outgoing traffic as well, how can i configure in fw-1?

the above does that very well IME. We have had 0 downtime since April
of 2001 when we put it in. (knocking wood!)

>>2. if two links are active (load sharing), one is used for VPN
traffic, another for outgoing internet surfing?

If you go the BGP route (and IMHO you should..) you have limited
control over how traffic gets to you. You
do this both by prepending your AS-path and also by altering your
announcement, eg: you announce the more
specific route to the carrier you want the bulk of your traffic with.
This scenario covers folks reaching you. Thus if
you have different subnets (have to be a minimum of a /24 though) you
can use one for VPN and announce that
to one ISP.. that will keep VPN on one circuit, and do the same for
workstations surfing.. but I would not do this
as it defeats IMHO the real reason to get multiple T's - resiliancy.
When a T1 goes down, you want to not be affected
at all (or minimize the impact..) Nothing beats walking into the CFO's
office and telling we have 5 T's down and the
net effect on the business is zippo.. :)   (this has happened!)
You have total control over how packets leave your network of course.
The simplest perhaps is to set the default
route in your edge router to a given interface..  How traffic returns
is a function of the rest of the net and the only way
to have any control of that is run BGP and to carefully craft your
announcements. You can also use policy routing to
say send all traffic from netblock A out this interface, and all
traffic from netblock b out this one.. or all IKE traffic out
this one interface. These are pretty simple things to do. You can also
rate-limit various kinds of traffic to make sure there is
always enough BW for your VPN's no matter how much surfing is going
on.. For good stuff like this, check the ISP Routing
archives.. you'll find tons of good stuff there.

>>3. how about setting up clustering in those two
firewall, like using Nokia VRRP or IP clustering...

We've had great luck with Rainwall.. not even a hickup in all the time
it's been in. It's easy to set up and has a very
broad set of options for load balancing, VPN stuff, etc.  We run
Checkpoint (obviously) on Sun hardware.

>>Any additional hardwares?

I would stay away from any DNS based solution. Just keep in mind the
only "backup" entry in DNS is for your MX record.. BGP is
more work up front but it works very reliably and once it's set up you
can go on about your life.. it does not need much attention. In the
event of a circuit failure you will lose the connections that were on
that line (nothing can protect against this of course!) but you will
be reachable from pretty much anywhere in the US within about a minute
and the world within about 5-6 minutes. This is based on
actual experience. My users have never noticed anything when we've had
line failures. Maybe a website comes up slowly and then
everything is fine after that. You do not need to take a full routing
table and buy a huge router.. the simplest and cheapest setup
could be a 2600 series with a pair of WIC's which takes a default route
from each provider. People do this...  You only need to take a
full table if you are providing transit or if you just want to optimize
your routing. If you want to do that you need something with at least
128MB of RAM. (more is mo betta). If you are feeling all powerful and
geeky you can forgo the Cisco and fire up a linux box
running Zebra. That will lop off a lot of the cost of the BGP
implimentation. Zebra is cool beans, runs BGP, OSPF, etc etc. just like
a
"real" router. ;)

2 cents pls. ;)

ps: happy new year from new yawk new yawk!

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================