'Re: Highly available Internet connection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Highly available Internet connection
From:       Todd Truitt <Todd.Truitt () evolving ! com>
Date:       1997-01-29 21:51:58
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

'Starkweather, Mike once said:'
> My company wants to move toward Electronic Commerce on the Internet. 
>  One of the requirements would be a highly available, secure 
> connection.  One of the ideas I have considered is two firewalls going 
> out over two routers to two wide area links to two ISPs.  This is a 
> pretty brute force approach.

Definately.

> Does anyone have any ideas to share on how we might build an Internet 
> connection that would approach 100 percent availability?

The above would work, barring:

1.  the two ISPs you've connected to are not connected to the
	same network.  

2.  your local network's redundancy policies, or lack thereof.

I would look into contacting ISPs that are connected to different networks
or are redundantly connected, which offer frame-reley connections.  Then
I would use the "belt and suspenders" approach with two 25xx's as my external
routers using a fully meshed DLCI design to the two different ISPs.  I
would choose a routing protocol which load balances (OSPF or EIGRP) and
would look into HSRP as well. The load balancing is crucial to make the most
out of your bandwidth while also getting the bargain of FR pricing.
If your ISP doesn't offer FR connections, then look into multipoint T-1
lines from your LEC.  If you can't do that try getting T-1s (point-to-point)
from each 25xx to thier primary ISP (relative depending on which 25xx your
refering to) with a DDR ISDN-PRI (backup only....cost, you know) to
thier secondary ISP (relative again).

Make sure your firewall either:

boots off of a diskette which is ejected upon boot, like the PIX, or
has a secondary disk which you've "dd'd" the configuration to.  I say this
beause if your firewall becomes corrupted, you can either stick in the
diskette and reboot or do a "ok> boot disk 2" and have a completely
rebuilt firewall in minutes, which leaves you hours of time to fix your
disk or analyze your logs without users screaming down your neck.


Cheers,

- --Todd



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBMvAo6c9y1J+ua2vxAQEn1wL+JxTs9IJNmzyMVOjy/hYUwsvNVUlQJDdD
xn7KfUJF5YN3qiPoiYbUR1wu6VPezreVjWYCZ74EFsq8pZAo3QgjVaf8XJRteZ0j
yfzmpdcdoqivt/FQVb4Gg6ndF6cSt789
=FBa/
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic