topic Re: Is the network over designed? in Network Security

Is the network over designed?

abdullah.abdulhafid — Mon, 26 Jul 2021 19:52:18 GMT

Dear All,

The uploaded JPG is a summary layout that reflects the network design provided by a contractor for our 6 floor new building. I feel the network is over designed. My question is do I need this number of firewalls? We did ask the LANs traffic to be segregated as they carry different traffic for different purposes?

Re: Is the network over designed?

Marius Gunnerud — Mon, 26 Jul 2021 20:17:38 GMT

I agree that this is overkill with firewalls. You would only need the following:

- a pair of firewalls in HA setup

- Etherchannel configuration between ASAs and the 3650 switches. Configure subinterfaces on the portchannel for the various LANs

- Configure access rules restricting access between the LANs on the sub interfaces

- ***no L3 routing on the switches***. If L3 is required on the switches use VRFs

I do not know what your requirements are, but I would also suggest looking into using FTD devices and not ASAs. I would also suggest using Firepower software instead of ASA with the threat license as a minimum. This is because Firepower will provide IPS while the ASA does not. It can also do almost everything the ASA can do.

If Firepower software is not an option, the FTD devices can also run ASA software.

Re: Is the network over designed?

Leo Laohoo — Mon, 26 Jul 2021 23:00:25 GMT

Where did the contractor get this design from because it looks like one from a PacketTracer design.

Without knowing the criteria of the network it is hard to determine if the FW are overkills.

Re: Is the network over designed?

Marvin Rhoads — Tue, 27 Jul 2021 08:34:14 GMT

It looks like homework to me. No reputable contractor anywhere in the world would propose a design with 6 out of 7 devices being past end-of-sales.

Re: Is the network over designed?

abdullah.abdulhafid — Tue, 27 Jul 2021 09:34:12 GMT

Sorry Marvin,

The sketch is done by myself. I do not have the authority to publish the original documents. The LANs in our network represent different security system for example; Fire and Gas system, PA/GA system and etc.

I am worried about the number of firewalls and I need to reduce the cost as long as there is no security breach.

Abdalla

Re: Is the network over designed?

abdullah.abdulhafid — Tue, 27 Jul 2021 09:35:38 GMT

The original documents are not allowed to be uploaded. The layout is done by myself however it describes the real design.

Re: Is the network over designed?

abdullah.abdulhafid — Tue, 27 Jul 2021 09:50:07 GMT

Thank you Marius,

Do you suggest to add another layer by using VFRs in case we use L3 features?

Re: Is the network over designed?

Leo Laohoo — Tue, 27 Jul 2021 10:08:46 GMT

@abdullah.abdulhafid wrote:

I do not have the authority to publish the original documents. The LANs in our network represent different security system for example; Fire and Gas system, PA/GA system and etc.

If this network is deemed as "confidential" then why take un-necessary risk?

Get a reputable system integrator for confidentiality protection.

Re: Is the network over designed?

Marius Gunnerud — Tue, 27 Jul 2021 10:18:40 GMT

I suggest a combination of VRFs and a papir of firewalls in HA.

Re: Is the network over designed?

Marius Gunnerud — Tue, 27 Jul 2021 15:49:12 GMT

Also, forgot to mention, whether you use VRFs pr not depends on your design. If you are not doing any routing on the L3 switch then there is no need for VRF so just trunk the VLANs to the firewall.

I also agree with Leo that with regards to who you choose to do the design and implementation. The cheapest provider on design and implementation often ends up being the most expensive in the long run.