Other High Availability Methods

So far, we've been discussing some generic High Availability configurations, and we've only mentioned using the Check Point HA module. There are, however, other ways to accomplish the task of HA. Many vendors have developed HA solutions for Check Point VPN-1/FW-1, and some of them are very good. Stonesoft (www.stonesoft.com) is one of the more established players in this market with their StoneBeat FullCluster product, which provides both HA and load balancing. Another popular choice is RainWall from Rainfinity (www.rainfinity.com). You can see a full listing of Check Point OPSEC certified products at www.opsec.com. Discussion of the configuration for each of these products is beyond the scope of this book.

Routing Failover

Another failover method is to use a routing protocol to handle moving traffic around a downed firewall. The most popular method of implementing this is by using Virtual Router Redundancy Protocol (VRRP). We only know of one platform that currently supports VRRP, and that is the excellent Nokia appliance. For those readers with a networking background, think of VRRP as a takeoff on Hot Standby Routing Protocol (HSRP), or. The firewall software will have to take over the duties of synchronization, but that's not unusual to the HA solutions we've looked at.

Configuration of VRRP is outside the scope of this text, but we can discuss some of the more general points that you'll be dealing with. First, you need to decide which version of VRRP you want to implement. There are two versions in common use: VRRP v2 and VRRP Monitored Circuit. Unless you have a pressing need to use VRRP v2 (address space exhaustion, backward compatibility, and so forth), you should opt for Monitored Circuit. In either of these configurations, you may experience problems with asymmetric routing. One of the main differences in v2 and Monitored Circuit is the convergence time, that is, the time it takes for a failure to be detected and corrected. In earlier versions of IPSO, convergence time could be over eight seconds. Using Monitored Circuit, the convergence time is less than one second. Like HSRP, VRRP uses HELO messages, sent at a default interval of one second, to a multicast destination (which must be allowed in the rule base) to announce their status. This HELO message includes a priority, which is used to determine which gateway should be the active member of the cluster. If the primary machine detects a failed interface, for example, it would decrement its priority, thus notifying the backup gateway to take over the cluster. Remember to include all of the firewall interfaces in the tracking list. It wouldn't do much good if the outside interface was down, but not tracked, and the inside interface was still taking traffic.

Hardware Options

A final method that we want to touch on briefly is the use of an external, hardware-based solution. Examples of these abound, and their usefulness varies… caveat emptor. One of the main disadvantages of hardware-based load balancers or HA solutions is that they generally introduce a single point of failure, which in essence is counter-productive. Generally, the meantime between failure (MTBF) of these units far exceeds that of the standard server machine, but we've rebooted far too many of these things to feel really comfortable with them. Also, most of these products don't really offer a true highly available solution. Load balancing with a health-checking option (which will direct packets around a downed unit) is the best you can expect, which is still pretty good.

One notable exception is the Foundry ServerIron XL content switch. This product was the first to be OPSEC-certified to provide full fail-over support, including the fail-over of active VPN sessions. ServerIron also supports clustering and synchronization of its load balancers, so that they are not a single point of failure. Also, the configuration commands for this switch are nearly identical to those of the Cisco IOS, which makes the learning curve simpler. You can get more information at www. opsec.com.