Category: firewalls

Our desing and planning is based on our current BGP based firewall environment similar to an ipSpace.net article. We are now planning to build a new HA firewall environment that is based on BGP routed connectivity.

We have two optional designs both based on BGP routed connectivity. Firewalls are acting as routers and customer LAN gateways are located in datacenter routers segmented with VRF technology. Option to be implemented depends on the capabilities of the vendor.

Option 1: Both nodes of virtual firewall instance HA-pair work as an independent routers, having their own BGP sessions running simultaneously. Both nodes in HA-pair have BGP neighborhood to one datacenter router. Path of the traffic is controlled by routing metrics configured between firewall nodes and datacenter routers. In case of a failover or traffic switchover from one firewall node to another, there are no need for re-establishment of BGP sessions between firewall nodes and datacenter routers.

Option 2: Only currently active firewall node of a virtual firewall instance has its BGP routing running. Firewall node has BGP peering configured redundantly to two datacenter routers. Path of the traffic is controlled by routing metrics configured between active firewall node and datacenter routers. In case of a failover or traffic switchover from one firewall node to another, BGP sessions between firewall node and datacenter routers are re-established.

We would be interested to receive comments and recommendations for the following questions:

• Implementation of the state/policy sync for the HA-pair
• iBGP or eBGP to be selected for the inside VRF BGP peering
• Best practices for the BGP implementation for Option 2

Traditional security has relied on edge filters for ages. I realize today there are solutions for micro segmentation (NSX-T, illumio, edgewise, etc), but they are too new, don’t support every OS or w/ever the limitations are that prevent them from becoming defacto and so we still operate edge firewalls (edge meaning on the VRF edge, not necessarily on the trusted network edge like an Internet connected firewall).

We discourage firewall policies that are based on a host IP in favor of policies that are based on subnet address which by the very nature of it means we dedicated subnets to a particular purpose. We also discourage crossing the boundary of the VRF in the first place through the perimeter firewall. Instead we encourage standing up a load balancer that is multi homed into 2 or more VRFs. I suppose it is very similar to AWS load balancers where they expose workloads in the VPC (one VRF) to the Internet (another VRF).

The main idea here is we want to enable horizontal scalability of throughput capacity between VRFs and routing everything through an edge firewall is the opposite of that (single firewall being the bottle neck for throughput and a SPOF). What do other folks do around the perimeter transit capacity balancing that out with security?