S 2.302 Security gateways and high availability

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A security gateway should always be the only interface between the external network and the network to be protected. As a consequence, the security gateway of course constitutes a potential bottleneck on the one hand and a possible point of interruption for the entire network traffic of an organisation on the other hand. In this way, the availability of security gateways is often related to high requirements.

Therefore, the most important components of a security gateway should be designed redundantly. These are primarily those components that absolutely need to be crossed for retrieving or sending information. Normally, this category includes packet filters, application level gateways, and possibly VPN components. For other components (e.g. virus scanner or intrusion detection system), the relevance for the security of the network to be protected must be assessed on a case-by-case basis.

There are different options for increasing the availability of components of a security gateway:

Cold standby:

For cold standby, a secondary backup system identical in construction is provided parallel to the actual productive system, which is not active, however. Should the primary system fail, the backup system can be booted and integrated into the security network manually.

Advantages of a cold standby solution

Disadvantages of a cold standby solution

The time required for newly installing and/or newly designing the security gateway is relatively short. The low complexity of the security gateway makes misconfigurations more difficult.

In addition to the existing system, a secondary system must be held available and consistently updated with the current configurations and patches. The cold standby system is not able to automatically recognise malfunctions and must be activated manually. The administrator is responsible for permanently monitoring the function of the live system and intervening in an emergency. Depending on the product used, an administrator must be present in order to start a component of the security gateway, since some systems do not start to operating status without user interaction via the keyboard. In this case, it is not possible to activate components using a web-controlled power socket.

Table 1: Advantages and disadvantages of a cold standby solution.

Hot standby

A hot standby also comprises a backup system (mostly with the same configuration as the system in normal operation). However, this backup system is operated in parallel at all times, with one component monitoring the other. In the event of a malfunction, the backup system may take over the function of the live system immediately. This may be performed automatically or after user interaction. User interaction may prevent a switch-over to the hot standby system - that may be related to additional complications - in the event of extremely short failures.

In order to keep the downtimes as short as possible, the status of the most important components must be checked at the shortest possible intervals when operating the security gateway in hot standby.

Advantages of a hot standby solution	Disadvantages of a hot standby solution
No administrator interaction is required on the console. Since the functions of the failed system are taken over automatically by the backup components, there are no or only short downtimes.	When compared to cold standby, the security gateway is very complex, since all components involved must be checked for proper functionality with the help of additional monitoring components. For every relevant component of the security gateway, a separate monitoring component must be procured and supported.

Table 2: Advantages and disadvantages of a hot standby solution.

Parallel operation:

During parallel operation, two or more security gateways are constantly operated simultaneously, Parallel operation not only results in reduced loads and increased performance, but also in reduced problems in the event of failures. Depending on the selected load balancing method, one system may take over the tasks of the system currently unavailable. As a consequence, there is a short loss of performance, but the functionality is maintained completely.

In this case, however, it must be ensured that all systems are kept consistent. For security gateways, proper time synchronisation and the consistency of the control base must be taken into consideration above all. Moreover, it must be guaranteed that incoming and outgoing queries are always processed by the same components, since connections will possibly be interrupted otherwise. This particularly applies to application level gateways and packet filters with stateful inspection function.

Two variants must be differentiated for parallel operation:

Static parallel operation

This variant does not change the configuration (particularly the routing information) of the components of the security gateway. For example, one variant of static parallel operation could consist oft the parallel components of the security gateway being used to provide different services, i.e. HTTP using a communication string and SMTP using a parallel communication string, for example. This configuration increases the performance of the entire system, but is problematic in the event of the failure of individual components, since the components have been configured differently and cannot be readily replaced by a parallel component in each case. For this reason, such a structure and configuration of the security gateway is not recommendable in general.

Dynamic parallel operation/load balancing

With this mode of operation, the configuration of the components of the security gateway is adapted to the performance requirements during operation. Load balancing is an example of this, with the data flows being routed depending on the utilisation of the components involved in the communication.

For load balancing, it must be ensured that the automatic configuration changes on the involved components do not result in any changes to the security rules for the entire security gateway.

Load balancing may be part of a high-availability solution (HA solution). For an HA solution, the availability of components of the security gateway is monitored and backup systems intended to compensate the failure may possibly be used in the event of a failure. In this context, the load balancing mentioned above actually only serves to increase the performance and does not result in any high availability alone; it must additionally be ensured that the backup systems compensate the failure automatically without any administrator intervention in the event of a system failure. Consistent monitoring of the HA components is at least as important as an automatic failover in the case of need.

The advantages and disadvantages of an HA solution can be compared to those of a hot standby system. However, when compared to hot standby, the advantage is that all components of the security gateway are used, resulting in a load distribution that is able to ensure the availability of the security gateway.

Requirements for HA solutions

The following requirements should be posed for an HA solution:

• Even after automatic failover, the security gateway must comply with the security requirements of the security guideline and/or policy (failsafe and/or fail-secure).
• The HA implementation must not disturb operation of the security gateway and/or its security functions.
• At least packet filters and the application level gateway should be designed with high availability, since communication is normally no longer possible when these components have failed. The same is applicable to VPN components.
• There should be two independent access options to the external network, e.g. two internet accesses of different providers.
• Internal and external routers must be designed redundantly, e.g. using protocols such as "Virtual Router Redundancy Protocol" (VRRP) or the proprietary "Hot Standby Routing Protocol" (HSRP).
• The function should be monitored based on numerous parameters and should not rely on a single criterion (for example a simple availability check by testing the availability of the network interface ("ping")). If a component is available using "ping", it may be checked whether the configured services work as intended, for example.
• Misconfigurations during commissioning or malfunctions of a component during live operation may possibly not be recognised immediately for HA solutions, since functions are partially taken over by components installed in parallel. For example, it may not be recognised immediately if active content filtering has been switched off on an ALG and the requests are processed by the properly configured system. Therefore, regularly checking the log files and warnings of the HA solution is important.

A HA solution is particularly simple if only a single-tier design consisting of a packet filter is to be designed for high availability. Many commercial products offer a simple solution for this, mainly consisting of the activation of a corresponding HA option in the administration interface.

A HA solution for multi-tier security gateways (e.g. composed of packet filters and an application level gateway) is more complex. Here, every component must be designed for high availability which means significant extra effort and expense. Normally, dynamic routing protocols (e.g. "Open Shortest Path First", OSPF) directing the network traffic to the proper direction as required must be used along with the monitoring function.

However, dynamic routing protocols are not unproblematic from a security point of view. Information on the problems can also be found in T 5.51 Abuse of routing protocols and S 5.112 Security aspects of routing protocols. If dynamic routing protocols are to be used in order to implement an HA solution, it should be checked within the framework of an additional security analysis whether the required level of security is attained.

Within the P-A-P chain of a multi-tier security gateway, one component must assume the monitoring function. This component makes the decision as to whether or not the P-A-P string is functional. Using a stand-alone monitoring component only responsible for functional testing is recommended for this task.

If a stand-alone monitoring component cannot be integrated, it is recommendable to assign this task to the application level gateway. On the one hand, this has the advantage that many functions of the security gateway are implemented on the ALG, i.e. they can be evaluated locally by the monitoring software. On the other hand, the ALG is often integrated centrally into the security gateway, i.e. it offers direct access to the other components of the security gateway.

However, the fact that ALGs often try to prevent third party software from being installed in order to prevent the system from being compromised is problematic. Of course, it cannot actually be ruled out that the monitoring software used contains errors and strongly reduces the security of the ALG.

Additional security analysis

High availability solutions are always tailored to specific requirements and combinations of the types described above are absolutely conceivable. As a matter of principle, an additional security analysis is absolutely recommended if the requirements regarding the availability of the security gateway make a high availability solution seem necessary.

Review questions:

• Is the decision regarding the achievement of high availability derived from the organisation's security policy?
• Have all components of the security gateway been designed redundantly?
• Has the connection of the redundant network been designed redundantly?
• Are both the availability of the network interfaces and the configured services included in the functional monitoring of the systems?
• Does the configuration of the backup systems match the configuration of the live systems?
• Has it been ensured that the level of security is not reduced during automatic failover?