Asymmetric Routing

[BarryStiefel]

Asymmetric Routing



Short answer: yes, but not without spending lots of money or reducing the security of your network.

Asymmetric routing happens when a packet for a connection comes in on firewall A and the reply packet goes out firewall B. Some HA vendors claim to be able to do this. Check Point even claims to support this in NG using their ClusterXL? technology. However, I am skeptical at any products ability to do this well. Assuming both firewalls were synchronized (with state sync or with some other mechanism), there is simply no way to synchronize fast enough to be able to handle asymmetric connections in all situations. The more latency between the time the packet leaves firewall A and returns to firewall B, the easier it is for this to work. In many cases, the latency is very short.

Consider the following situation:

• Firewall A handles all outbound packets
• Firewall B handles all inbound packets
• Both firewalls are synchronizing their state tables via some mechanism

A host behind these firewalls may try and access a host on the Internet. Generally speaking, the latency of this connection (sometimes several hundred milliseconds) will be sufficient that the two firewalls can synchronize.

Consider the situation where a host on the Internet is accessing a host behind the two firewalls above. Let's assume this host is on the same LAN as the firewalls. In this case, the latency is generally very low (1-10ms). It is damn near impossible to synchronize firewalls that quickly.

Good network security can only be provided with a symmetric flow, i.e. the connection entering and leaving the same firewall. There are a number of ways to insure a symmetric flow, usually involving additional hardware above and below the firewalls. One might think of this as a "firewall sandwich." These solutions are highly scalable and will give better performance than the HA vendors can manage.

Asymmetric Routing can only work in an environment 100% of the time then the only network security in place is packet filtering. We can do things in FireWall-1 to basically turn FireWall-1 into a packet filter, but as we all know, packet filtering isn't very secure. If you insist upon doing asymmetric routing and actually having it work, do all of your network security with a Cisco router. You won't be very secure, but you'll have asymmetric routing.

-- PhoneBoy - 10 Jan 2004

FAQForm FAQs.Class: MiscellaneousFAQs FAQs.OS: FAQs.Version: