Firewall Wizards mailing list archives
Network Design question
From: "golovast" <golovast () yandex ru>
Date: Wed, 18 Jan 2006 23:47:13 +0300 (MSK)
I will try to summarize my question as much as possible, but it might still get a little lengthy and I apologize in advance. I work for a company that has an internally hosted internet data center that provides some services to the outside. Current environment consists of what are essentially two networks. One network hosts anything that has to do with perimeter access. There are redundant 6509s at the core of the perimeter network and recently we've obtained FWSM and CSM for the switch. There is a form of a three tier approach; unfortunately a lot of applications are designed so that they often don't fall into this structure. The internal network is also hosted on redundant 6509s. There are no FWSM in these switches. This network hosts the users as well as internal databases, services, etc. The only connection between the two networks is via a 3-interface firewall. One interface hosts the IT department as well as the management segment and the other two interfaces connect to the internal and perimeter 6509s. Now we are considering a redesign of this approach. There are a number of factors that are driving this. We are trying to improve security and we are also trying to create a more functional management segment among other things. I've read so many discussions (including this list), reference designs from different vendors, and security best practices that I think I've covered most of them. Although a lot of them are very good they often deal with hypothetical situations which are hard to imitate. We have real limitations on both human and financial resources, which I am sure a lot of you are very familiar with. We will have to compromise in some areas for certain. For example, even though it is highly recommended to have a separate NIC for management traffic it's not feasible to accomplish. We also can't separate the management systems into perimeter and internal networks for two reasons. First is the cost of duplication and second are the resources in IT that are able to have eyes on the management systems. Essentially, the biggest question is the design of the management network. It will host things like MOM, SMS, Solarwinds, Backup servers, etc, etc. Therefore it will need to have pretty much an unfettered access to all the servers. We are not sure how to design this in a proper manner. No matter how we look at it, without separating management systems into perimeter and internal, there seems to be vulnerability in one place or the other. We are simply try to mitigate this as much as possible. Anyway, let me get to the point. Right now, we are essentially looking at two designs. The first design would keep a lot of things how they are currently set up. A 6509 with FWSM would handle the perimeter. There would be virtual firewalls set up for various tiers and likely some of these tiers would be segmented as well, possibly with private vlans. The internal 6509 would continue to host the users and the internal servers. The two switches would be connected via a router and the management systems would hang off that router in a separate segment. Some critical internal servers would move into the DB segment on the perimeter switch. We also have a SSL VPN which would be used to provide access from users into the perimeter networks, giving them highly restricted access to specific resources which they would require. SSL VPN also requires two-factor authentication. The obvious problem that we see is that the users are not separated by a firewall from the internal servers. The refore, if it is assumed that users are not considered a trusted zone (better then public access, but not by a whole lot), then the internal servers, at least things like domain controllers, file and print are at risk as well. It follows that if a user is able to compromise any of the internal servers, then they would have the potential to get into the management segment from an internal server and if the management segment is compromised then the entire network is compromised. In an alternative design, both the perimeter and the internal 6509 would be connected via 4 fiber links. The users would move onto the perimeter switch, since that switch handles untrusted traffic from the internet, it might as well handle somewhat untrusted traffic from the users. The database segment would move and be located off the internal switch, which would also host the management segment as well as internal servers. One interface of the VPN device would be connected to the perimeter switch and one would be connected to the internal switch. Perhaps some internal servers such as File and Print and Domain controllers would be local to the user segment. VLANs coming across the fiber link between the switches can be secured with FWSM on the side of the perimeter switch. Although the same consideration as above applies, where the users may be potentially able to compromise internal servers and then the management segment, I think this is somewhat alleviated by the fact tha t users would be at least forced to traverse multiple (virtual) firewalls on the perimeter switch in addition to ACLs on the internal switch. I think this also may improve security from a sense that we are not really doing physical separation with FWSM, so if the perimeter switch was to be compromised, at least the internal switch which would host DB servers with customer data is separated. I am not sure if this makes any sense without some diagrams, which I could provide. I'll also answer any follow up questions that you may have. I would tremendously appreciate if you take a look at the options that I've mentioned and maybe tell me which design is better, considering the limitations and while taking into consideration security and perhaps the principle of KISS. Maybe there are some fundamental flaws in my logic that you can point out. Thanks ahead. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Network Design question golovast (Jan 18)