Re: Data Center Design - Are discrete routers needed?

["Hahues, Sven" <shahues () FGCU EDU>]

Mr. Flynn,

Based on what you said it sounds to me like if you are going to be routing datacenter traffic and want to firewall it.  
If this is the case you might as well do it all on one firewall, especially since you said the inline device will have 
to support the traffic capabilities anyways.

This does not sound too much different than creating a screened subnet/dmz just on the trusted side of your network.  
Simple vlan and some ospf/static routing can be done by pretty much any moderately powerful firewall these days.

While you do not mention this directly, I would personally shy away from putting all important networks into one 
firewall unless you have built in redundancy or are using them just for firewalling/simple routing.  If you start 
adding extra complexity, such as a lot of IPsec site-site vpn tunnels, or BGP routing with multiple peers, separating 
it out would probably not be a bad idea.

As far as the blades go, I cannot speak to that, we have always used a purpose built appliance.

In regards to the counter points you posted specifically:

*       firewalls won't be able to handle the aggregate performance needs
I think this greatly depends on what firewall you purchase.  Junipers SRX series of firewalls scales to some insane 
amount of traffic, anywhere from a few 100mbit to 120gbps (in their biggest SRX 5800)

*       best of breed devices designed specifically for routing should be used rather than firewalls
This really depends on your routing needs.  If all the device does is static routing, you do not really need a fully 
featured router.  Then again, looking at the SRX series it has all the routing capabilities of a Junos based router, 
with a firewall stack on top.   That could give you both depending on your needs.

*       having two sets of devices will be more reliable as it will provide more configuration and downtime response 
options
This is partially correct in my opinion.  If you get a device that has good failover support they can be just as 
reliable.  You do however get more flexibility out of two devices than one.

*       routers will have more features and capabilities to support redundant, high availability paths between multiple 
data centers.
I hate to use the cop out answer, but it really depends on a lot of stuff.  If you have data centers that are 
relatively close together you can use some vendor specific failover technology and not have to worry about using VRRP 
or other things like that.  If you have the need to run some automatic route failover via BGP (i or e), then a  real 
router would probably be better.

Sorry for the long wall of text.

TL:DR - I think it really depends on your budget, and factors such as locations, and traffic volumes.

HTH

Sven

Sven Hahues
FGCU Network Services
Tel: (239) 590 1337
E-Mail: shahues () fgcu edu

Computing & Network Services will NEVER ask you for your password


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
Gary - flynngn
Sent: Friday, April 29, 2011 12:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Center Design - Are discrete routers needed?

Hi,

We're contemplating new architectures for our data centers. One of our discussions involved whether it is necessary to 
have both distribution routers and firewalls inside the data center. My contention is that firewalls can handle any 
internal data center distribution needs as any layer 3 routing or vlan support needs are a subset of firewall 
functionality and easily handled by them. Additionally, the firewalls are going to be present in either architecture 
and be inline with any traffic so their performance and reliability capabilities have to be on par with other inline 
devices anyway. Simply bring the traffic to the data center and terminate it in either a simple router with one leg to 
the firewall infrastructure or into the firewall infrastructure itself. This, to me, decreases unnecessary complexity 
and cost. The other side of the argument says:

*       firewalls won't be able to handle the aggregate performance needs
*       best of breed devices designed specifically for routing should be used rather than firewalls
*       having two sets of devices will be more reliable as it will provide more configuration and downtime response 
options
*       routers will have more features and capabilities to support redundant, high availability paths between multiple 
data centers. 

We're also trying to decide where firewall blades installed in routers fit in the schemes.

Any opinions? ;)

If you don't want to respond publicly, all non-list responses will be kept confidential and will be shared only within 
the small IT group evaluating options. I'll also anonymize the response before sharing internally if you desire.

If enough off-list responses are received, I'll anonymize the responses and re-post a summary unless asked not to.

Thanks in advance for any opinions or experiences.



-- 
Gary Flynn
Security Engineer
James Madison University