| Network Description | Building a redundant firewall with RainWall (single Internet Connection) |
| Authors | Mark Decker, Sonny Aulakh - Rainfinity |
| Details | In the following network implementation RainWall boosts the availability,
reliability, and performance of a Check Point firewall. This particular configuration
shows two firewall clusters. The first cluster (Firewall01 and 02) between the Internet
and the Web server limits the number of ports and protocols open for use by outsiders. A
second set of firewalls (03 and 04) between the Web site and the corporate network
protects the mission-critical backend corporate servers and data from external requests.
In this way, public servers are placed in their own network space, isolated from the rest
of the corporate systems. This demonstrates the DMZ architecture, where the Web servers
are on their own subnet that is exposed to the Internet while the rest of the corporate
resources are behind a secure wall with extremely controlled access. The firewalls share state information on the xxx.xxx.100.0 subnet for the first cluster and subnet xxx.xxx.202.0 for the second cluster. These subnets are also used for RainWall communication between nodes. RainWall is a software only solution is installed directly on the firewall. With RainWall, one or more Virtual IP Addresses (VIPs) are associated with each of the firewall’s network interfaces. VIPs appear as if they are normal IP addresses associated with a particular machine, but RainWall can move VIPs between machines in a cluster to achieve load-balancing and failover. VIPs are associated with the firewall’s internal as well as external network connections. One advantage of this is that if a NIC should fail or a firewall host go down, RainWall simply switches the VIPs to a working node, and the network sessions continue—sessions are not dependent on a specific NIC’s IP address. In addition, having multiple VIPs allows RainWall to perform VIP-based load balancing by moving VIPs to the least-used NIC. |
| Performance | By configuring Rainfinity’s RainWall with multiple virtual IP (VIP)
addresses per subnet, a much more scalable firewall system was created. The per-VIP load
balancing algorithm used with Asymmetric mode is coarse grained, yet extremely efficient.
This mode therefore allowed the greatest scalability with the least amount of overhead.
Asymmetric routing of traffic improved load balancing, since return traffic can traverse a
different node than the one it entered through. Networks, which do not require a high throughput, can be deployed in a single VIP symmetric mode. In Symmetric mode, RainWall routes all traffic symmetrically and load balances on a per-connection basis (or per-tunnel in the case of VPN), in addition to the per-VIP method. Symmetric mode introduces network overhead not present in Asymmetric mode, and overall throughput in this mode may not be as high as in Asymmetric mode. The performance impact of the added network overhead should be minimal in a full-duplex switched environment, but may be significant in a shared-hub environment. Symmetric mode is enabled through the use of the symRouteOn option in the rainwall.cfg file For more information on Rainfinity’s product line, please visit www.rainfinity.com
|