[68803] in North American Network Operators' Group
Re: Assymetric Routing / Statefull Inspection Firewall
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Wed Mar 17 00:16:22 2004
In-Reply-To: <000001c40bc7$56f39d20$6401a8c0@msthome>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Tue, 16 Mar 2004 23:17:50 -0500
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I went to reply, but my e-mail client filled this in:
On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:
> <mime-attachment>
:)
Back on topic....
On Mar 16, 2004, at 9:27 PM, Mike Turner wrote:
> =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 I am currently looking for a =
statefull inspection firewall=20
> that support asymmetric routing =96 is there such a product? I cannot=20=
> imagine that I am the only person with redundant Internet=20
> connectivity, that would like to put firewalls near the edge of our=20
> network. Any thoughts / Suggestions would be greatly appreciated!
How can a firewall perform a "statefull inspection" of packets coming=20
in when it did not see the packets going out (or vice versa)?
If you have two links and need redundancy, get two firewalls which NAT=20=
and have eat NAT IP only one provider. As each packet goes out, it can=20=
only come back through the provider it left through, giving that=20
firewall knowledge of both incoming and outgoing packets.
The firewalls will have to speak some type of routing protocol with=20
your border routers, perhaps just listening to default. If ISP1 dies,=20=
Firewall1 will either have to send packets out a different NAT=20
interface, or perhaps through Firewall2. And you'll have to make sure=20=
the border routers don't accidentally send NAT1 IP out ISP2's link.
But these are all solvable problems. Getting a firewall to do stateful=20=
inspection of one-sided conversations is not.
--=20
TTFN,
patrick=
