Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Data Center Design - Are discrete routers needed?

From: David Gillett <gillettdavid () FHDA EDU>
Date: Fri, 29 Apr 2011 09:09:02 -0700
  We're revising our architecture as part of updating our network equipment.
One of the problems to be solved is how to route "interesting" traffic so it
will be filtered by a central firewall; this challenge evaporates if the
core router IS the firewall....
 
David Gillett
CISSP CCNP

  _____  

From: Flynn, Gary - flynngn [mailto:flynngn () JMU EDU] 
Sent: Friday, April 29, 2011 09:03
To: SECURITY () listserv educause edu
Subject: [SECURITY] Data Center Design - Are discrete routers needed?


Hi,

We're contemplating new architectures for our data centers. One of our
discussions involved whether it is necessary to have both distribution
routers and firewalls inside the data center. My contention is that
firewalls can handle any internal data center distribution needs as any
layer 3 routing or vlan support needs are a subset of firewall functionality
and easily handled by them. Additionally, the firewalls are going to be
present in either architecture and be inline with any traffic so their
performance and reliability capabilities have to be on par with other inline
devices anyway. Simply bring the traffic to the data center and terminate it
in either a simple router with one leg to the firewall infrastructure or
into the firewall infrastructure itself. This, to me, decreases unnecessary
complexity and cost. The other side of the argument says:

*       firewalls won't be able to handle the aggregate performance needs 

*       best of breed devices designed specifically for routing should be
used rather than firewalls 

*       having two sets of devices will be more reliable as it will provide
more configuration and downtime response options 

*       routers will have more features and capabilities to support
redundant, high availability paths between multiple data centers. 

We're also trying to decide where firewall blades installed in routers fit
in the schemes.

Any opinions? ;)

If you don't want to respond publicly, all non-list responses will be kept
confidential and will be shared only within the small IT group evaluating
options. I'll also anonymize the response before sharing internally if you
desire.

If enough off-list responses are received, I'll anonymize the responses and
re-post a summary unless asked not to.

Thanks in advance for any opinions or experiences.



-- 
Gary Flynn
Security Engineer
James Madison University
Previous By Date Next
Previous By Thread Next

Current thread: