Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3761
Views
5
Helpful
3
Replies

Best Firewalling Option For Server Farms

Go to solution
umer zubairi
Level 1
Level 1

‎12-06-2017 06:31 AM - edited ‎02-21-2020 06:54 AM

Gents,

 

I'm working on a design scenario of a network Divestiture where company (A) needs it's data center resources to be completely protected from Company (B) and company (B) also wants protection from company (A).

 

As you can see below topology both the companies are already accessing Internet via different ISP lines using their own external firewalls.

Topology.JPG

 

Now their Server Farms are planned to be protected using the internal firewalls (Cisco ASAs).

I've two options to deploy these ASAs to protect both the companies server farms but need your opinion which option is better.

 

OPTION # 1

Placing the Firewalls between Core and Top of the Rack server nodes. Static routing between Core and FWs.

Option1.JPG

 

 

OPTION # 2

Connecting the Firewalls directly to the Core and keeping the SVIs of servers' vlans on them I mean on the FWs. In this case anyone who has to access the servers needs to hit the Firewall and traffic to be inspected by the firewall rules.

 

Option2.JPG

 

Kindly, let me know your opinion which option is better to go with.

 

Thanks in advance!!

 

Kind Regards,

Umer

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to umer zubairi

‎12-07-2017 03:47 AM

I can't really give you a straight answer. Option 1 is more secure and option 2 is more flexible, but with correct switch config option 2 can be as secure.

If you have a budget for just 2 ASAs, option 1 means no redundancy possibility and option 2 means redundancy is possible. (check license requirements for specific models to make sure)

I would lean towards option 2, but if security between the 2 departments has the highest priority than option 1 could be a better fit.

 

View solution in original post

3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎12-06-2017 07:13 AM

Here are my thoughts on the 2 designs:

Security:
- in option 2 vlan hopping could be posible, but this can be avoided by using a unique native vlan
- also if switch interfaces are missconfigured, servers from company A could access vlans from B
Performance:
- probably similar performance in booth cases, but packets in Option 2 will traverse the core switch 2 times
Reundancy:
- In option 1 you would need 4 ASAs for redundancy
- In option 2 you can have 2 ASAs in failover with 2 contexts

0 Helpful

Go to solution
umer zubairi
Level 1
Level 1
In response to Bogdan Nita

‎12-06-2017 08:35 AM

Thanks Bro for sharing your thoughts!

 

Both the clients aren't willing to invenst more in buying redundant hardware as they've future plans to dissolve the business till their transnational settlement.

 

Therefore, I've only two ASAs to protect their server farms.

 

So what do you think that in a non-redundant firewalling which option will be better to go with.

 

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to umer zubairi

‎12-07-2017 03:47 AM

I can't really give you a straight answer. Option 1 is more secure and option 2 is more flexible, but with correct switch config option 2 can be as secure.

If you have a budget for just 2 ASAs, option 1 means no redundancy possibility and option 2 means redundancy is possible. (check license requirements for specific models to make sure)

I would lean towards option 2, but if security between the 2 departments has the highest priority than option 1 could be a better fit.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card