Network equipment hard core technology insider firewall and security gateway chapter (VI) security double repair under the law

Last time when it comes to , Linghuchong developed the firewall HA (High Availability) function , Realize the session synchronization of firewall , In this way, when a firewall fails , Another firewall seamlessly takes over all traffic , Only a few packets are lost .

But , When testing the new connection performance of firewall , Linghuchong found , Test results and closure HA The functions are quite different .

original , Linghuchong forgot an important problem .

When the firewall synchronizes the session , You need to carry the following information ：

Quintuples ( Source IP, Purpose IP, Source port , Destination port , Protocol type );

NAT The last quintuple ;

VRF—— Because of the difference VRF The addresses of can overlap , Avoid confusion ;

And other processing fields of the session .

thus , Calculate the packet header cost of each session packet , The network of session synchronization itself becomes the bottleneck of restricting session synchronization ……

The solution is also very simple , Linghuchong modified the driver code , Let the session synchronization be carried out through the aggregated Ethernet .

However , One wave rises after another .

Linghuchong tested the firewall layer 2 networking , Find a new problem ：

Pictured , Firewall works in layer 2 mode , There is no IP Address , It presents a network bridge with the function of state detection firewall .

because FW A,FW B,SW X and SW Y Form a loop , therefore , Need to use STP The protocol blocks the redundant interfaces of the loop to form a spanning tree ：

Of course , This kind of networking has the same disadvantages as the switch spanning tree ： Long convergence time , At least half of the interface bandwidth is wasted .

Linghuchong transplanted the code related to the switch stacking function to the firewall , Allow two firewalls to stack , The control plane is virtualized into one , however , Linghuchong found , Even the basic session establishment function can't work properly ……

original , Here's the problem ：

because SW X and SW Y It's all switches , Their lines to two firewalls are configured using port aggregation . Switch in the case of port aggregation , Packet streaming is based on IP Of —— that , This may cause TCP SYN and TCP SYN-ACK Sent to two different firewalls in the stack group .

Suppose the firewall A received TCP SYN package , And establish a session , And on the return trip TCP SYN-ACK But there is no guarantee that it will be sent to the firewall A. If SYN-ACK Sent to the firewall B, It will be discarded , As a result, this session will never be established .

therefore , Use stack mode in firewall ( Also known as Active-Active Pattern ) When realizing dual machine hot standby , Asymmetric session establishment is a very necessary function .

It allows two firewalls to synchronize session state machine information , Instead of simply synchronizing the addition and deletion of sessions . such , The enviable switch stacking function can also be realized on the firewall .

Linghuchong has solved the dual machine hot standby function of the firewall , Very happy , Soon , The new firewall has been deployed in the network exit and network core of Huashan School , Yue buqun is very happy .

However , With the development of Huashan sect , New challenges are coming ——

Please look forward to the next issue .