|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Assymetric Routing / Statefull Inspection Firewall
I went to reply, but my e-mail client filled this in: On Mar 16, 2004, at 9:27 PM, Mike Turner wrote: <mime-attachment> :) Back on topic.... On Mar 16, 2004, at 9:27 PM, Mike Turner wrote: I am currently looking for a statefull inspection firewall that support asymmetric routing – is there such a product? I cannot imagine that I am the only person with redundant Internet connectivity, that would like to put firewalls near the edge of our network. Any thoughts / Suggestions would be greatly appreciated!How can a firewall perform a "statefull inspection" of packets coming in when it did not see the packets going out (or vice versa)? If you have two links and need redundancy, get two firewalls which NAT and have eat NAT IP only one provider. As each packet goes out, it can only come back through the provider it left through, giving that firewall knowledge of both incoming and outgoing packets. The firewalls will have to speak some type of routing protocol with your border routers, perhaps just listening to default. If ISP1 dies, Firewall1 will either have to send packets out a different NAT interface, or perhaps through Firewall2. And you'll have to make sure the border routers don't accidentally send NAT1 IP out ISP2's link. But these are all solvable problems. Getting a firewall to do stateful inspection of one-sided conversations is not. -- TTFN, patrick
|