Re: DMZ Design wit two Firewalls

benolyndav · ‎10-03-2018

Hi

What is the best practice i.e what rules do we apply to external facing FW ? also should I have a switch for each interface.? also do DMZ servers need public IP or is Private IP ok and use Nat.??

Thanks

Rob Ingram · ‎10-03-2018

Hi,
The outside and inside interfaces should be connected to seperate switches. Ideally you'd have 2 of everything, so you'd have 2 x ASA which would be configured either Active/Standby or Active/Active. In this scenario you'd connect each ASA interfaces' into different switches (2 on the outside and 2 on the inside network) to provide full resilency.

As far as firewall rules are concerned, block all inbound expect only what you need to permit. Ideally you'll have a public IP address range on the outside interface network, this would then be natted to the private IP addresses on the hosts in the inside network.

HTH

benolyndav · ‎10-03-2018

Hi

Thanks for your quick response could you take a look at the attachment and possibly add in location for Guest DHCP scope to be placed and also any Vlan ideas for added Security and also does this design work technically and how secure is it, ??

Thanks

Dennis Mink · ‎10-03-2018

dedicated switch for DMZ is definitely recommended.

approach security of your DMZ as a non-trusted zone. so only allow from the DMZ to a trusted zone (internal) what you explicitly define.

Please remember to rate useful posts, by clicking on the stars below.