Firewall Fundamentals

Because firewalls have become critical infrastructure components on the network, it is important to ensure that the firewall, and the functionality that it provides, is always available and accessible. Firewall high availability (HA) and redundancy is typically handled in one of two ways:

  • Active/passive failover

  • Active/active failover

Regardless of the failover method, firewall HA relies on implementing two firewalls in a parallel configuration. With an active/passive system, one firewall is actively passing traffic while the other firewall is completely passive and does not pass any traffic. If the active firewall fails for whatever reason, the passive firewall becomes the active firewall, allowing for traffic to continue to be transmitted. With an active/active system, each firewall is able to pass traffic that is typically defined by separate and distinct security contexts. A security context is simply the firewall ruleset and functions that a physical firewall is responsible for at any give time. Figure 9-7 shows an active/active system.

Figure 9-7. Active/Active Failover Example

In this example, each firewall is the active firewall for their respective DMZ segment, Firewall1 for DMZ1 and Firewall2 for DMZ2. If for some reason Firewall2 were to fail, the traffic destined for DMZ2 would be redirected to Firewall1, which would then deliver it to DMZ2 accordingly. It is important to note that in most cases each firewall in an active/active configuration cannot pass the same traffic at the same time. For example, Firewall1 and Firewall2 cannot both be responsible for the same ruleset that permits traffic to the same DMZ segment. One firewall is the primary, and thus handles all the traffic (such as the case with Firewall1 and DMZ1 in Figure 9-7), and the other firewall is the secondary, and thus only handles the traffic if the primary fails (such as the case with Firewall2 and DMZ1 in Figure 9-7). The primary advantage of an active/active configuration is that you do not have an entire firewall and related hardware sitting unused except in the event that a failure occurs. An active/active configuration also allows you to perform some basic load balancing by placing some of the load on one firewall with the remaining load on the other firewall.

Категории