The hardware required to complete the option visually detailed in the image below includes two firewalls, two switches, two load balancers, and any number of servers depending on your traffic and application. The hardware I have recommend and have personally used in this configuration is two fortinet 200A firewalls, two dell 5424 gigabit switches, two foundry ServerIron load balancer switches, and a mix of Dell PowerEdge servers. To provide full redundancy we will be touching on network redundancy as well as hardware redundancy.
The switches redundancy is easy since they are only providing layer two services. We will talk more about their mesh connection when we get to the network redundancy below.
Load Balancer Redundancy:
The load balancers are also in an active/passive configuration which allows them to keep sessions information between the two. Each load balancer has basically the same configuration also using VIP’s(Virtual IP’s).
The servers that you deploy should have the same exact Operating System and OS packages installed on each. Make sure that you have at least two servers providing the same application services to the end user in each of the server farms shown in the image above. This allows any server downtime to not be noticed by any clients connecting to the application. If anything happens to SW01, FW01, or anything in server farm one then the servers in server farm two will perform.
Network redundancy can be broken down into the internal network and the external network.
The external network can be redundant by obtaining two drops from your colo each from a different router. Typically each drop has its own /30 configured on it so you can set up communication between your firewalls and the colocations routers/firewalls. Then ask your colocation to route a your public IP space via BGP over each of the drops they have provided. BGP will allow your primary link to drop and be picked up by the secondary drop with minimal downtime without any human interaction. First you plug the each drop into a different switch on your network to then split out two Ethernet cables from each switch and plug them into the WAN ports on your firewalls. For instance drop one from the colo plugs into SW01 and then splits to plug into each WAN1 on each firewall. Drop two from the colo plugs into SW02 and splits out to plug into each WAN2 of each firewall. If you do not have the budget for four switches then you can create a VLAN on each switch with three ports in it to accomplish each goal.
The internal network redundancy is provided by plugging DMZ1 on FW01 into SW01 and DMZ1 on FW02 into SW02. SW01 and SW02 should be connected together as well to allow the servers in server farm one and server farm two to traverse the network out either firewall if necessary. LB01 should be plugged into SW01 and LB02 should be plugged into SW02.
If there are any questions relating to the above comments please contact us. Question Defense contributers also provide consulting services as well.