Network Hardware Firewalls Buyers Guide
Fault Tolerance and Resilience
Page 1 | Page 2 | Page 3 | Page 4 | Page 5
Page 4
Today it is vital that a firewall can cope with unexpected problems. You may encounter issues with the hardware itself such as an interface issue, power supply failure, etc. Below are a few things to think about when looking for a firewall with the ability to provide good stability and fault tolerance.
Do you require redundant hardware, extra power supplies, and fans? Does the firewall hardware provide hardware redundancy?
In particular the high end firewalls targeted at larger companies come with redundant hot swapping hardware such as a spare fan, spare power supply, NIC card, hard drive, etc. This will help reduce down time if a fan or a power supply failed within your appliance. You can then have the failed part replaced while using the backup hardware. With parts usually being hot swappable you wouldn't need to shut the firewall down when replacing the failed part.
Does the firewall support High Availability? Do you require Firewall redundancy and failover?
High availability would eliminate single point of failure by adding redundancy to the network. By configuring two firewalls with high availability, if your primary server fails the secondary server will take over and become active. This would ensure if you did experience a complete firewall failure your secondary firewall will take over eliminating any down time. This type of setup is known as active/passive mode as your primary firewall is active and processing traffic while the secondary firewall is in passive mode. When the secondary firewall is in passive mode it will not be processing any traffic and will only become active when a failover occurs and the primary firewall fails.
Firewalls today also support Active/Active mode where both firewalls process traffic and if one firewall fails the other firewall will process all traffic. So it’s a mixture of high availability, failover, redundancy and load balancing all in one.
Do you require redundant physical connections to different internet service providers?
By supporting two different ISP’s connected to two separate interfaces on a firewall you are providing redundancy if the primary ISP fails, then the second one will become active and your firewall traffic will filter through the second interface. Here you are looking for dual or multi WAN support. Some firewall vendors support multi WAN load balancing where both connections are utilised at the same time and if when fails then all traffic is processed by the remaining connection.
Do you need VPN redundancy?
If you have two or more WAN connections then you may be able to setup redundant VPN connections as well.
This functionality is also known as route based VPN where you can setup VPN routes. So your VPN will use a high priority route and if that route fails it will take another route.
With two or more WAN connections physically connected to two separate interfaces on your firewall route based VPN will provide VPN redundancy. If one of your ISP’s fails, then the second interface will become active and your VPN will be processed by the second interface.
Do you require alternative transport options?
You may need alternative transport options such as; ADSL, T1, ISDN, Serial, 3G, etc, so you would need to investigate how and if your firewall will support these types of WAN connections.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5
For further reading, there's some excellent electronic ebooks available for download from eBooks.com