Firewall high availability

 

Usually, a WebSphere production system includes at least one firewall. Two firewalls are commonly used to create a demilitarized zone (DMZ) to enhance WebSphere system security. If the firewall fails, customers are not able to access any services and the site can be exposed to security risks (hacker's attacks). Therefore, the firewall availability is an important part of the WebSphere system's availability.

We can configure a highly available firewall environment, such as IBM SecureWay® eNetwork firewall or CheckPoint VPN-1/FireWall-1, by using two separate firewalls on two hosts. The CheckPoint VPN-1/FireWall-1 product provides several HA features, such as the state synchronization of the firewall modules that allow active connections to continue after failover. However, there is no built-in mechanism in VPN-1/FireWall-1 to synchronize the security policy (filter rules and users) across two VPN-1/FireWall-1 management stations. The VPN-1/FireWall-1 management workstation is a single point of failure.

In this section, we discuss two advanced solutions: Building an HA firewall with clustering software such as HACMP, MC/ServiceGuard, Sun Cluster, or MSCS. Building an HA firewall with a network sprayer such as WebSphere Edge Components' Load Balancer.

  Prev | Home | Next

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.