Tip

Configuration for transparently redundant firewalls

 

Configuration for transparently redundant firewalls
Vincent Jones

The goal of any network is communication. We can no longer be satisfied with simply sustaining communication, we need to do so safely and efficiently, according to networking expert Vincent Jones. Vincent Jones is the author of

Requires Free Membership to View

High Availability Networking with Cisco. And this tip from InformIT explains how to keep your network secure with a redundant firewall if a firewall or router goes down.

How the firewall appears to your routers, either as another router or as an end system, affect how the network can be designed. The tip is based on your routers viewing the firewall as another router.


Assume that each firewall will pass any legitimate Web traffic between any valid Internet address and the Web server at 100.0.0.99. On this network, you route to the public address of the Web server, and establish a default route that takes you back out to the outside world via a firewall. This mode of operation for the "inside" network is typical for a DMZ network.

Note that you need to configure the routing so that any specific user's requests and the responses to those requests will always be delivered to the same firewall. Otherwise, any state information associated with existing connections will be unavailable and browsing may be disrupted. While this service disruption is considered acceptable if the alternative is no service (as when switching firewalls to recover from a firewall or access LAN failure), it's not something you want as part of normal operation.

The key to recovering from firewall failure is the use of Border Gateway Protocol (BGP) to detect when a path through a firewall is available. By advertising a unique target address for each available path, you can trigger the appropriate floating static route to direct your production traffic. To provide protection against as many double faults as possible, define the four paths in Table 1. Keep in mind that failure of any access LAN is equivalent to failure of the firewall served by that LAN.

Table 1 Path Selection for Maximum Double Fault Tolerance Using Four Paths

PathInside RouterFirewall and LANsOutside Router
1Router R-1LAN_1 __Firewall F_1A __LAN_ARouter R-A
2Router R-1LAN_2 __Firewall F_2B __LAN_BRouter R-B
3Router R-2LAN_1 __Firewall F_1A __LAN_ARouter R-B
4Router R-3LAN_2 __Firewall F_2B __LAN_BRouter R-A

The critical concept behind this design is that, rather than using static routes pointing to a specific firewall service address to direct incoming and outgoing traffic to the appropriate firewall (and nowhere else), you instead use floating static routes that point to loopback interface addresses on the other side of the firewalls that you learn via BGP. When a path fails, the target address associated with that path becomes unreachable and a backup route using a different path floats into action. By careful selection of the route weights and sharing of local route information between routers, you minimize the potential for unnecessary changing of firewalls for any traffic flow.

The firewalls need to be configured to allow the exchange of BGP routing information. Network address translation can be used as desired without regard for explicit support by the firewalls for BGP traffic, because the addresses included inside BGP routing packets to provide next-hop information are ignored. Note also that you only need to provide a path for the BGP speaker on the inside to connect with the BGP speaker on the outside. If the BGP speakers on the outside routers don't support a passive (listen-only) option, this will cause false alarms during connection setup as the outside BGP speakers attempt to connect to their neighbors on the inside. The connection attempts will stop as soon as the inside speaker establishes a connection to the outside speaker, but could be annoying if an inside speaker fails.

You define target addresses on each of the four routers, one for each path to that router. Use address filters on your BGP advertisements to allow only the correct targets to be learned over each peering associated with any path. You then define floating static routes so that traffic to and from the DMZ Web server will always use path 1 or 3 if available and only use path 2 or 4 if there is no other choice. Note that for failure recovery to work, it's essential that the only way that the routers can learn a route to any of the target addresses on the other side of the firewall be through BGP.

Since BGP includes the address of the next hop to take as part of the route advertisement, you'll also need to configure your BGP speakers to override that address with the correct address for the firewall. The specific technique used will depend on the BGP implementation. The critical requirement is that you don't believe the next hop specified by the router on the other side of the firewall, as to do so would severely degrade the security protection provided by the firewalls.


Of course, there is more to it than just the how-to; read the background information at InformIT. Registration is required, but it is free.


This was first published in November 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.