Client Trip
I'll be headed out of town early this next week to go to New York to visit a client. On the trip, I'll be installing two new T1's, a new router, a secondary firewall, and a new cluster of back-end servers. We're anticipating a rollover which will start on Friday around 2 am for this client, and should be done by mid-morning on Monday. If all goes well, DNS should be propogating changes within a few hours of the change over.
We ended up using HeartBeat as a decent solution to provide roll-over capabilities to the firewalls. This means that there will be two firewalls, both generic (white-box) linux systems with fast, redundant hard drives, and a medium amount of RAM. One firewall (the more powerful of the two) will be running as the primary system, both for incoming and outgoing connections. This includes web browsing (using squid), web requests (using apache as a reverse proxy), DNS requests, email filtering (SPAM filtering is actually done on another system), and all VPN requests.
This firewall (fire1) will be using regular “heart beats” to check on the secondary firewall (fire2). In fact, the secondary firewall (fire2), will also be checking on fire1. If the secondary (fire2) discovers that the primary is down, it will take over the responsibilities of the primary (fire1). This roll-over will provide the necessary hot-swap capabilities to the firewalls. And, one of them fails, we can determine when to fix it (if there was only one, and it failed, we'd have to immediately repair it).
The largest problem that we are likely to have while working with this type of a system is the fact that changes on one system are not necessarily made to the second. One way to get around this is to use a third system to store configuration files (like DNS records, squid configuration files, and apache configuration files), but this would create another potential problem. Changes for this particular client are few-and-far between, so the sys-admin making the changes will just need to remember to change both.
0 Comments:
Post a Comment
<< Home