An unavailability analysis of firewall sandwich configurations

Document Type

Conference Proceeding

Publication Date



© 2001 IEEE. Firewalls form the first line of defense in securing internal networks from the Internet. A Firewall only provides security if all traffic into and out of an internal network passes through the firewall. However, a single firewall through which all network traffic must flow represents a single point of failure. If the firewall is down, all access is lost. A common solution to this problem is to use firewall sandwiches, comprising multiple firewall processors running in parallel. A firewall sandwich system needs load-balancing processes executing on separate processors to manage the flow of packets through the firewall processors. The number of redundant load balancing processors and their redundancy management policies have a major impact on system unavailability. We present a model to analyze the steady-state unavailability of firewall sandwiches and compare the unavailability of various load-balancing configurations. The results show that, using representative non-proprietary values for system parameters, redundancy management policies are at least as important as the number of redundant processing nodes.

Publication Title

Proceedings of IEEE International Symposium on High Assurance Systems Engineering