Network Design question

["golovast" <golovast () yandex ru>]

I will try to summarize my question as much as possible, but it might still get a little lengthy and I apologize in 
advance.

I work for a company that has an internally hosted internet data center that provides some services to the outside. 
Current environment consists of what are essentially two networks. One network hosts anything that has to do with 
perimeter access. There are redundant 6509s at the core of the perimeter network and recently we've obtained FWSM and 
CSM for the switch. There is a form of a three tier approach; unfortunately a lot of applications are designed so that 
they often don't fall into this structure. 

The internal network is also hosted on redundant 6509s. There are no FWSM in these switches. This network hosts the 
users as well as internal databases, services, etc. 

The only connection between the two networks is via a 3-interface firewall. One interface hosts the IT department as 
well as the management segment and the other two interfaces connect to the internal and perimeter 6509s. 


Now we are considering a redesign of this approach. There are a number of factors that are driving this. We are trying 
to improve security and we are also trying to create a more functional management segment among other things. 

I've read so many discussions (including this list), reference designs from different vendors, and security best 
practices that I think I've covered most of them. Although a lot of them are very good they often deal with 
hypothetical situations which are hard to imitate. We have real limitations on both human and financial resources, 
which I am sure a lot of you are very familiar with. We will have to compromise in some areas for certain. For example, 
even though it is highly recommended to have a separate NIC for management traffic it's not feasible to accomplish. We 
also can't separate the management systems into perimeter and internal networks for two reasons. First is the cost of 
duplication and second are the resources in IT that are able to have eyes on the management systems. 


Essentially, the biggest question is the design of the management network. It will host things like MOM, SMS, 
Solarwinds, Backup servers, etc, etc. Therefore it will need to have pretty much an unfettered access to all the 
servers. We are not sure how to design this in a proper manner. No matter how we look at it, without separating 
management systems into perimeter and internal, there seems to be vulnerability in one place or the other. We are 
simply try to mitigate this as much as possible.


Anyway, let me get to the point. Right now, we are essentially looking at two designs. The first design would keep a 
lot of things how they are currently set up. A 6509 with FWSM would handle the perimeter. There would be virtual 
firewalls set up for various tiers and likely some of these tiers would be segmented as well, possibly with private 
vlans. The internal 6509 would continue to host the users and the internal servers. The two switches would be connected 
via a router and the management systems would hang off that router in a separate segment. Some critical internal 
servers would move into the DB segment on the perimeter switch. We also have a SSL VPN which would be used to provide 
access from users into the perimeter networks, giving them highly restricted access to specific resources which they 
would require. SSL VPN also requires two-factor authentication. The obvious problem that we see is that the users are 
not separated by a firewall from the internal servers. The
 refore, if it is assumed that users are not considered a trusted zone (better then public access, but not by a whole 
lot), then the internal servers, at least things like domain controllers, file and print are at risk as well. It 
follows that if a user is able to compromise any of the internal servers, then they would have the potential to get 
into the management segment from an internal server and if the management segment is compromised then the entire 
network is compromised. 


In an alternative design, both the perimeter and the internal 6509 would be connected via 4 fiber links. The users 
would move onto the perimeter switch, since that switch handles untrusted traffic from the internet, it might as well 
handle somewhat untrusted traffic from the users. The database segment would move and be located off the internal 
switch, which would also host the management segment as well as internal servers. One interface of the VPN device would 
be connected to the perimeter switch and one would be connected to the internal switch. Perhaps some internal servers 
such as File and Print and Domain controllers would be local to the user segment. VLANs coming across the fiber link 
between the switches can be secured with FWSM on the side of the perimeter switch. Although the same consideration as 
above applies, where the users may be potentially able to compromise internal servers and then the management segment, 
I think this is somewhat alleviated by the fact tha
 t users would be at least forced to traverse multiple (virtual) firewalls on the perimeter switch in addition to ACLs 
on the internal switch. I think this also may improve security from a sense that we are not really doing physical 
separation with FWSM, so if the perimeter switch was to be compromised, at least the internal switch which would host 
DB servers with customer data is separated. 


I am not sure if this makes any sense without some diagrams, which I could provide. I'll also answer any follow up 
questions that you may have. I would tremendously appreciate if you take a look at the options that I've mentioned and 
maybe tell me which design is better, considering the limitations and while taking into consideration security and 
perhaps the principle of KISS. Maybe there are some fundamental flaws in my logic that you can point out. 


Thanks ahead. 



















_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards