Disaster Recovery and Business Continuity

Firewall failures can completely isolate web servers, making disaster recovery planning essential. Design firewall architectures that maintain availability during failures while preserving security.

High Availability Configurations: Implement redundant firewalls in active-passive or active-active configurations:

# Configure firewall clustering (example using keepalived)
global_defs {
    router_id FIREWALL_MASTER
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass fw_cluster_secret
    }
    virtual_ipaddress {
        192.168.1.1/24 dev eth0
    }
}

# Sync firewall states between nodes
vrrp_sync_group FW_SYNC {
    group {
        VI_1
    }
    notify_master "/usr/local/bin/fw-failover.sh master"
    notify_backup "/usr/local/bin/fw-failover.sh backup"
}

Configuration Backups: Automate firewall configuration backups:

#!/bin/bash
# Daily firewall backup script

BACKUP_DIR="/backup/firewall"
DATE=$(date +%Y%m%d)
RETENTION_DAYS=30

# Create backup directory
mkdir -p ${BACKUP_DIR}

# Backup firewall configurations
case $FIREWALL_TYPE in
    "iptables")
        iptables-save > ${BACKUP_DIR}/iptables-${DATE}.rules
        ip6tables-save > ${BACKUP_DIR}/ip6tables-${DATE}.rules
        ;;
    "nftables")
        nft list ruleset > ${BACKUP_DIR}/nftables-${DATE}.rules
        ;;
    "aws")
        aws ec2 describe-security-groups > ${BACKUP_DIR}/aws-sg-${DATE}.json
        ;;
esac

# Compress and encrypt
tar -czf - ${BACKUP_DIR}/*-${DATE}.* | \
    openssl enc -aes-256-cbc -salt -pass pass:${BACKUP_PASSWORD} \
    > ${BACKUP_DIR}/firewall-backup-${DATE}.tar.gz.enc

# Clean up old backups
find ${BACKUP_DIR} -name "firewall-backup-*.tar.gz.enc" -mtime +${RETENTION_DAYS} -delete

# Sync to remote storage
aws s3 sync ${BACKUP_DIR} s3://backup-bucket/firewall-configs/