StoneBlog.stonesoft.com

Most posts here are about new software-features or products, and the use of those. Today I want to give you a small insight of a real world setup, and a quite unusual one as well.

Starting 2005, calls for a company wide security policy came up, together with the wish to connect all relevant outposts of the company to the headquarters and their regional offices. We’re talking about 75 offices for phase 1, and 120 for phase 2.

Both classic vpn as well as mpls were concidered, but none combined high availability and scalability, together with provider independency and manageable costs. First tests with StoneGate soon revealed the power of MultiLink VPN and Firewall Policy Templates. After a 2-month test-phase, and a complete rebuild of the Headquarter Network, we rolled out 75 offices in 4 months, including several production plants. Last year, phase 2 was due, and another 50 offices were added. Now the picture in SMC5.1.1 looks like this:

Continue reading »

written by jebATpop-i - 3,244 views \\ tags: clustering, MultiLink VPN

The most common place for an IPS is right behind the edge firewall, where it inspects anything that goes through the firewall.  Firewall filters out most of the inbound crap, which is too obviously unnecessary to even inspect with IPS.  This is a fairly straightforward setup, you just connect the inline IPS’s between the firewall and the internal switch.  Cross cables from the firewall to the IPS and straight from the IPS to the switch and you’re done.  StoneGate IPS, while in inline mode, looks like a cable to the network.  It does not alter allowed traffic in any way, so deployment is simple.

Clustering the firewall does not seem to change much – you just add an IPS (or an inline pair) for each additional firewall node.  Quite straightforward still.

Let’s now stop and think for a minute.  What does this setup mean, how does it work?

Continue reading »

written by olli - 4,563 views \\ tags: clustering, IPS, load balancing

I like to move it,move it
She likes to move it,move it
He likes to move it,move it
You like to (“move it”)

This is the smash hit of Madagascar, where funny lemurs were singing and dancing… well, given the potential and features of VMware technology this could easily become the catchphrase of Virtual Datacenter managers very soon.

This page contains links to a 5 minutes movie to show how smoothly Virtual Appliance Clustering is working in VMWare ESX Virtual Infrastructure, offering maximum compatibility with VMotion.

The tested setup is the one reported below:

And for those who want the full 15 MB Flash version, right-click here and choose “Save as…”

Or if you want to see it bigger (will open up a new browser windows), click here.

written by RoarinPenguin - 1,956 views \\ tags: clustering, firewall, Virtualization, vmotion

It is not uncommon to wait for an ISP to lease sufficient number of addresses on the link until you are able to install a cluster which by default requires at least 3 addresses: 1- CVI, 2 – for each NDI for every node of the cluster (considering a simple cluster of two elements – to imagine a scenario with more nodes just add the corresponding number of NDI addresses).

Thus, for the cluster to work normally at least /29 mask on the link is needed.

Whereas most of the time ISPs provide only /30 mask by default. Luckily StoneSofft cluster technology allows clustering in that situation too.

To build a cluster one has to:

1) create a cluster element;

2) add a CVI for the external interface and uncheck the NDI checkbox;

After that the firewall will be up and successfully running even with VPN configuration.

BUT there are some subtle issues:

1) management should be, of course, at one of the internal interfaces,

2) static ARP entries should be made on external interfaces (which do not have an NDI) for the neighboring router IP address;

3) pings/traceroutes and other throubleshooting utilities will be unavailable through the external interface as those imply using the interface addresses which we are lacking in this situation.

written by DR - 1,720 views \\ tags: clustering, ip address