Businesses increasingly rely on data networks to carry mission-critical information. This is particularly true for businesses that rely on IP data networks to carry voice-over-IP data for packet telephony. Data networks must offer high-availability capabilities so that business continuity is not interrupted by scheduled maintenance or unexpected downtime due to circuit, power, and physical hardware failures or configuration errors.
Cisco IOS® Firewall offers features that address stateful failover security requirements, but specific recommendations must be observed for network design and implementation when Cisco IOS Firewall is used for stateful inspection of IP traffic in non-failover environments. This document addresses questions commonly asked by network engineers about the deployment and application of Cisco IOS Firewall in high-availability network environments.
Stateful inspection firewall for Cisco IOS Classic Firewall has been available in Cisco IOS Software-based router products since Cisco IOS Software Release 12.4(6)T. Cisco IOS Zone-Based Policy Firewall was introduced in the same software release, but the stateful failover subsystem was not included in the early phases of the firewall's development. The Cisco IOS Zone-Based Policy Firewall roadmap does not presently include any stateful failover capability; this is being investigated for future release.
Cisco IOS Classic Firewall High-Availability Capabilities and Design Guidance
Cisco IOS Classic Firewall offers multiple options for supporting high-availability networks, from multiple-uplink connectivity through the same router to stateful failover between routing peers in a Hot Standby Router Protocol (HSRP) environment.
Cisco IOS Classic Firewall introduced active-standby stateful failover in Cisco IOS Software Release 12.4(6)T. Active-standby stateful failover is applied with stateful switchover, a component of HSRP that provides for synchronization of state information for services that offer stateful failover. Thus, Cisco IOS Classic Firewall stateful failover is generally limited to platforms offering stateful switchover capability. To learn more about the capabilities, limitations, and configuration guidance for stateful failover, follow the documentation link in the "Additional Reading" section of this document.
In cases where multiple devices are not used or Cisco IOS Firewall stateful failover is not applied, Cisco IOS Firewall offers other high-availability options. First among these is a Cisco IOS Software-based router's capability to use multiple uplinks to a WAN to maintain access to networks across a private WAN or the public Internet. If routing continuity can be maintained (i.e., Network Address Translation [NAT] with differing outside addresses is not in use), a single router provides fault tolerance for problems with WAN connectivity (Figure 1). The same access control list (ACL) must be applied to both WAN-facing connections, as inspection sessions are associated with a given hostile-network-facing ACL. If the same ACL is used for all WAN-facing connections, return traffic will be checked against the session table associated with the ACL applied on both WAN interfaces.
Figure 1. One Router with Multiple Uplinks
If multiple routers are used to provide WAN connectivity (Figure 2), the routing configuration must assure that all outbound traffic that the Cisco IOS Firewall inspects will return through the same WAN connection. This allows the firewall to maintain awareness of the progression of application traffic activity (e.g., TCP connection state or TCP sequence number advancement).
Figure 2. Two Routers; One Uplink per Router
If the firewall is not notified of changes in the connection state or TCP sequence number, the firewall will assume that traffic that is observed after several missed packets is invalid, and will close down the connection. Additionally, the backup firewall should have reset the connection when traffic for an unknown connection was observed.
Cisco IOS Zone-Based Policy Firewall High-Availability Capabilities and Design Guidance
Cisco IOS Zone-Based Policy Firewall does not presently offer stateful failover capability; it can only accommodate a high-availability network infrastructure by using one router with multiple uplinks, as illustrated in Figure1. The Cisco IOS Firewall device must carry the traffic for any given connection or session in both directions, so the router inspection state is always current for all traffic that traverses the router.
Considerations for Concurrent Use of Cisco IOS Firewall and Multirouter Load Balancing or Asymmetric Routing
Cisco IOS Classic Firewall and Zone-Based Policy Firewall can only be used in a load-balancing or multipath routing environment if the router offering firewall inspection will be able to inspect the original connection traffic, as well as return traffic matching the connection. Cisco IOS Firewall must be able track both directions of traffic in order to maintain an accurate perspective of the TCP connection or User Datagram Protocol (UDP) session traffic activity. Unlike Cisco PIX® and ASA security appliances, which offer active-active firewall capability in which multiple devices are able, as a group, to synchronize their state information, Cisco IOS Firewall does not offer active-active firewall capability. This limits Cisco IOS Firewall's use in asymmetric routing deployments, as routing must be sure to maintain the same return path for traffic that was used at the ingress path.