<

Go Premium for a chance to win a PS4. Enter to Win

x

Budget No-Single-Point-Of-Failure Firewall Configuration

Published on
10,900 Points
4,700 Views
2 Endorsements
Last Modified:
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound traffic flowing.

We settled on the SonicWall UTM 2400 firewall.  Aside from all the normal security appliance bells and whistles (IPS, AV, Content Filtering, etc), the 2400 series offered some features specifically for high availability.

The 2400 UTM can be quickly and easily clustered into an active/passive arrangement.  Failover is fast (1-2 seconds), though not real-time.  But, for web applications, it seems to get it done.
Providing six physical ethernet ports, two can be dedicated to different ISP connections.  We combined a cheap ($40/mo) DSL line with our 15mb metro fiber pipe to provide backup.
We placed two simple switches between our ISP routers and the Firewalls, so each router is connected to each firewall.  In this manner, a failure of the ISP, router, switch, or fiewall would all be caught and initiate failover.
The Sonicwall supports multiple methods for keeping links alive.  We set each firewall to ping Google's DNS server (8.8.8.8).  After five failed attempts one second apart, the path that failed is considered "down" and failover is initiated.  However, the firewall is smart enough to NOT failover if BOTH paths are down (i.e, if the ping target is offline).
Inside the firewall, we have a clustered core switch for primary LAN connectivity.  We also use VMWare clustering with multiple web servers on the VMWare cluster.  The Soinicwall has a basic inbound load balancing feature that will perform port 80 requests to each web server.  If one of them stops responding for more than 5 attempts, it's considered down, and all inbound web traffic is routed to the alternate web server.
We also use EasyDNS to provide DNS hosting for $20/mo.  In the event of an ISP outage, DNS is required to provide an alternate inbound route for web traffic.  In the "beta" features at EasyDNS, you'll find a little feature that does constant probing of a web service, and should it fail, your DNS will be updated to point traffic in on your backup link.  In our case, if our 15mb metro fiber link goes down, our domain name gets redirected to our DSL ISP's IP range, and sent in that way.  It's a lot slower, but at least it works.  EasyDNS smartly provides real-time eamil alerts when this happens.
With this combination, including some poorly-documented features, we were able to spend very little money while providing near enterprise levels of reliability.  In fact, we replaced a larger "enterprise" firewall and load balancer with this Sonicwall 2400 UTM cluster.  Performance is better, management simpler, and it cost less than renewing support for my old systems for one year.
2
Comment
Author:sunstoned
0 Comments

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Join & Write a Comment

Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month