ha firewalls on the cheap - blog.uptill3.comblog.uptill3.com/static/carp.pdf¢linux...
TRANSCRIPT
Overview
¢ OpenBSD¢ pf – IP Packet filter¢ CARP – Redundancy protocol¢ pfsync – State table sync¢ Competition¢ Production example¢ FWBuilder (in case the CLI is not your ball of wax)¢ Demo Architecture¢ Demo¢ Q&A
OpenBSD
¢ Typically known for ‘security’ focus¢ Increasing network-centric focusl pf, OpenBGP, ssh, OpenNTPD, etc
¢ Tiny (~140mb install)¢ Simple¢ Extremely well documentedl ‘man’ pages for everything that are up
to date and actually have useful info!
pf – packet filter
¢ Packet filter for TCP/IPl NAT l QOS (w/ALTQ)l High Availability (w/pfsync + carp)
¢ Written to replace Darren Reed’s ‘ipf’after a license change by Reed
CARP (Common Address Redundancy Protocol)
¢ Allows mutiple hosts to share an IP¢ Free, non-patent encumbered¢ Secure (compared to VRRP/HSRP)¢ IPv4 and IPv6 support
pfsync
¢ Network interface that exposes pf state table changes
¢ Can be configured to share changes over the network
¢ Can be configured to listen for changes on the network
¢ Unsecure – use IPSEC or X-over cable
Competition
¢ Cisco PIXl Friends don’t let friends use PIX
¢ Juniper Netscreenl Decent, not enough experience to judge
¢ Checkpoint Firewall NGl Excellent for large numbers of nodes,
overkill for 1 or 2 locations/nodes¢ Linux IPtables/heartbeatl No state table failover
¢ Linux pf/carp (ugh!)l It has been ported…
In Production
¢ 2 VIA 1Ghz C3 1U rackmounts¢ 20-30Mb/s average, peaks of ~70Mb/s¢ Replaced CheckPoint Firewall NG¢ pf/CARP Implementation:l 2 hours setup and installl 1 hour converting Checkpoint rules
• Working on python script to automate this!
l 1 week proof of concept / testing
Fwbuilder
¢ GUI Ruleset builder¢ Works with pf¢ Works with iptables¢ Runs on Linux and
Windows¢ Uses native
configuration (ssh/scpto set stuff up – no config daemon!)
¢ No carp/pfsync support L