https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3228531#M1012406 <P>I can't really give you a straight answer. Option 1 is more secure and option 2 is more flexible, but with correct switch config option 2 can be as secure.</P> <P>If you have a budget for&nbsp;just 2 ASAs, option 1 means no redundancy possibility and option 2 means redundancy is possible. (check license requirements for specific models to make sure)</P> <P>I would lean towards option 2, but if security between the 2 departments has the highest priority than option 1 could be a better fit.</P> <P>&nbsp;</P> Thu, 07 Dec 2017 11:47:58 GMT Bogdan Nita 2017-12-07T11:47:58Z https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3227948#M1012403 <P>Gents,</P> <P>&nbsp;</P> <P>I'm working on a design scenario of a network <STRONG>Divestiture</STRONG> where company (A) needs it's data center resources to be completely protected from Company (B) and company (B) also wants protection from company (A).</P> <P>&nbsp;</P> <P>As you can see below topology both the companies are already accessing Internet via different ISP lines using their own external firewalls.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Topology.JPG" style="width: 896px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/4380i6B9917F136324835/image-size/large?v=v2&amp;px=999" role="button" title="Topology.JPG" alt="Topology.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Now</STRONG> their Server Farms are planned to be protected using the internal firewalls (Cisco ASAs).</P> <P>I've two options to deploy these ASAs to protect both the companies server farms but need your opinion which option is better.</P> <P>&nbsp;</P> <P><FONT face="arial black,avant garde" size="5"><STRONG>OPTION # 1</STRONG></FONT></P> <P>Placing the Firewalls between Core and Top of the Rack server nodes. Static routing between Core and FWs.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Option1.JPG" style="width: 857px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/4381iB7C723ED0AE9376A/image-size/large?v=v2&amp;px=999" role="button" title="Option1.JPG" alt="Option1.JPG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>OPTION # 2</STRONG></FONT></P> <P><FONT size="3">Connecting the Firewalls directly to the Core and keeping the SVIs of servers' vlans on them I mean on the FWs. In this case anyone who has to access the servers needs to hit the Firewall and </FONT><FONT size="3"><SPAN>traffic to be inspected by the firewall rules.</SPAN></FONT></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Option2.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/4382i57E2F085853B41A8/image-size/large?v=v2&amp;px=999" role="button" title="Option2.JPG" alt="Option2.JPG" /></span></STRONG></P> <P>&nbsp;</P> <P><FONT size="3">Kindly, let me know your opinion which option&nbsp;is better to go with.</FONT></P> <P>&nbsp;</P> <P><FONT size="3">Thanks in advance!!</FONT></P> <P>&nbsp;</P> <P><FONT size="3">Kind Regards,</FONT></P> <P><FONT size="3">Umer</FONT></P> <P>&nbsp;</P> Fri, 21 Feb 2020 14:54:58 GMT https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3227948#M1012403 umer zubairi 2020-02-21T14:54:58Z https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3227983#M1012404 <P>Here are my thoughts on the 2 designs:</P> <P>Security:<BR />- in option 2 vlan hopping could be posible, but this can be avoided by using a unique native vlan<BR />- also if switch interfaces are missconfigured, servers from company A could access vlans from B<BR />Performance:<BR />- probably similar performance in booth cases, but packets in Option 2 will traverse the core switch 2 times<BR />Reundancy:<BR />- In option 1 you would need 4 ASAs for redundancy<BR />- In option 2 you can have 2 ASAs in failover with 2 contexts</P> Wed, 06 Dec 2017 15:13:07 GMT https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3227983#M1012404 Bogdan Nita 2017-12-06T15:13:07Z https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3228048#M1012405 <P>Thanks Bro for sharing your thoughts!</P> <P>&nbsp;</P> <P>Both the clients aren't willing to invenst more in buying redundant hardware as they've future plans to dissolve the business till their transnational settlement.</P> <P>&nbsp;</P> <P>Therefore, I've only two ASAs to protect their server farms.</P> <P>&nbsp;</P> <P>So what do you think that in a non-redundant firewalling which option will be better to go with.</P> <P>&nbsp;</P> Wed, 06 Dec 2017 16:35:03 GMT https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3228048#M1012405 umer zubairi 2017-12-06T16:35:03Z https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3228531#M1012406 <P>I can't really give you a straight answer. Option 1 is more secure and option 2 is more flexible, but with correct switch config option 2 can be as secure.</P> <P>If you have a budget for&nbsp;just 2 ASAs, option 1 means no redundancy possibility and option 2 means redundancy is possible. (check license requirements for specific models to make sure)</P> <P>I would lean towards option 2, but if security between the 2 departments has the highest priority than option 1 could be a better fit.</P> <P>&nbsp;</P> Thu, 07 Dec 2017 11:47:58 GMT https://community.cisco.com/t5/network-security/best-firewalling-option-for-server-farms/m-p/3228531#M1012406 Bogdan Nita 2017-12-07T11:47:58Z