High-Availability Firewalls
If you are providing access to critical information, you need to make sure users can get that access at all times. High-availability firewalls are part of the redundant network architecture, so high availability is a critical feature in all the firewalls we tested. Traditionally, a high-availability firewall has been implemented as a firewall "sandwich," where external load-balancers push traffic down different paths through a firewall to optimize performance.
A useful side effect is that if one firewall fails, the load-balancers detect the failure and shuttle all traffic to the remaining firewall. Of course, the sessions on the failed firewall die with it, but at least users can reconnect. That is stateless failover, and for many common applications, such as Web surfing and e-mail, stateless failover is adequate because each connection is short lived.
However, in the case of applications such as file transfers, interactive sessions, like telnet and videoconferencing, and others that maintain long-duration connections, stateless failover severely disrupts users. On the other hand, stateful failover, which was a requirement for this review, maintains session state, typically over a dedicated circuit. When the primary firewall fails, the secondary takes over with little disruption to sessions. The key to stateful firewall failover is that the primary firewall updates the secondary firewall with all policy and configuration changes as well as updating the firewall state tables.
However, not all stateful failover is created equal. Contributors Brian Eirich and Greg Shipley found during testing that their Check Point 2000 installation on Nokia IP530s couldn't withstand the 100,000-failover-session tests. They also found that active state sharing of HTTP connections doesn't get much return for the extra load placed on the firewall. This is because HTTP is made up of many short-lived connections, all of which must be synchronized to the secondary firewall.
In addition, the duration -- from less than a second to several seconds -- that the secondary firewall takes to determine if the primary has failed can affect performance. There isn't much chance of firewall flap, a condition similar to router flap, where the firewall cycles through online to offline, disrupting service. In most cases when the secondary firewall fails over it retains control regardless of what the primary does.
Active failover keeps connections running smoothly. However, active failover can impact your bottom line, because you have a piece of expensive hardware doing nothing. Factor in the cost of downtime in the event of firewall failure to get an accurate picture of ROI (return on investment).
Centrally Managed SOHO Firewalls
Because they are a value-added service, centrally managed firewalls are a natural fit for ISPs and ASPs. Given the relatively low cost of hardware vs. the relatively high probability that customers are vulnerable to attacks, offering a firewall service is a no-brainer. Before you start counting your profits, though, keep three key aspects in mind when selecting a firewall vendor: bulk provisioning; tiered, distributed management; and hardware costs.
Preparing a firewall involves setting up the networks, defining the location of the management server and setting an initial policy. Streamlining that process will lower the cost of deployment. Products today typically require the service provider to configure each piece of hardware before shipping it out, which adds time to the process. Tangentially, when a firewall suffers an unrecoverable failure, the hardware also has to be similarly configured and shipped.
Once the firewalls are distributed, the ongoing management begins. Administering large numbers of distributed firewalls requires management stations that allow bulk configurations to be made with a simple process. For example, setting the same policy on 50 firewalls should require no more effort than setting that policy on one firewall.
Reporting and status monitoring are equally important. A service provider wants to be proactive in management, and that means getting reporting and monitoring tools that provide summary status information as well as detailed logs. If a firewall begins to go south, repairing or replacing it before it fails will earn customer satisfaction and loyalty.
And we can't forget per-unit price, possibly the most visible part of any large-scale purchase. A low price is desirable, but match the features to the price carefully. While 1,000 Nortel Contivitys cost around $500,000, compared with the SonicWall XPRS2's $1.8 million price tag, SonicWall's additional security features provide added revenue streams via licensing.
RSS
