What to Look for
Different organizations have different needs, but there are some items every organization should consider when choosing an HA firewall:
>> Failover capabilities. There are two primary types of failover: stateful failover, in which existing sessions should not be dropped, and stateless failover, in which sessions are dropped, but connections can be re-established. The two primary models of achieving either are hot standby models (one firewall is active, one is in standby) and load-sharing models (two or more firewalls are active at all times). All the firewalls we tested support hot standby, but the active-active load-sharing functionality found in products like the NetScreen-1000 is more rare. We opted to test using the hot-standby configurations (see "High-Availability Firewall Test Environment," below).
>> Monitoring. In the HA firewall space, especially when you're using a load-sharing firewall solution, monitoring is critical. For example, many organizations fail to realize the implications of putting two firewall units in a load-balanced or active/active configuration without carefully monitoring utilization loads. The moment utilization rates peak above 50 percent per firewall, you cease to have a redundant solution and start to enter a danger zone. Why? Because if two firewalls are at 60 percent utilization levels and one fails, the second firewall is expected to operate at 120 percent capacity. Upon unit failure, at best, connections will come to a crawl. At worst, all connectivity will come to a screeching halt as the second firewall keels over and joins the first. The only exception to this is with the relatively new "cluster" models, like Stonesoft's firewall offering.
It is for this reason that we usually recommend organizations use and test standby configurations unless they absolutely need the load-sharing model. Either way, the ability to monitor CPU, memory, synchronization and interface load levels easily is paramount in operating successful HA firewall configurations.
>> Management mechanisms. Many security problems are the result of product misconfiguration, which often comes from good, old-fashioned confusion. Having a clear understanding of how to manage your HA firewall solution is key to its reliable performance. However, this understanding is often specific to the skill set and preferences of the firewall administrator. For example, administrators accustomed to configuring the Cisco PIX via the CLI (command-line interface) might struggle with creating items such as one-to-one NAT rules using the Lucent Brick's Navigator Win32 application. Make sure you are comfortable with and understand the management platform of the firewall solution you pick.
>> Firewall design, tools and accessibility. Many organizations seem to forget that firewalls are designed to be security devices. A good firewall should keep bad packets out of protected networks. For a successful HA deployment, you also must be able to troubleshoot problems. This requires secure remote access to the console, troubleshooting and debug commands, and the ability to watch traffic when you're trying to get to the bottom of rule-set problems. The Lucent Bricks, for example, don't have any functional remote console access. Lucent says its customers applaud this lack of remote console access. While some might agree with that position, we're skeptical. Most of our real-world experience has dictated that the ability to perform console-centric troubleshooting tasks, such as packet dumping, is essential, especially for remotely managed units.
>> Price-performance. It's the grand pooh-bah of limiters -- the price tag. One thing that was quite apparent during the dot-com craze was that many organizations overestimated their requirements. Often companies would purchase carrier-class routers, ridiculous switches and systems that would never reach more then 10 percent utilization. At the same time, underestimating requirements could be a business-crippling move as well. The cost difference between gigabit-equipped firewalls and their 100-Mbps cousins is vast. Organizations should make sure they're going to need gigabit performance before making the investment. However, some 100-Mbps environments will benefit from the greater horsepower that the gig devices provide. We hope some of our testing results can help serve as a guideline.
After spending months with these devices, our comfort level is the highest with the Cisco and NetScreen solutions. Call it engineer's intuition but, simply put, they gave us the fewest problems, held up under testing loads and perform some important under-the-hood security functions not found in the other products we tested.
RSS
