Firewall and VSS

mateens · ‎02-14-2018

Hi,

We are a school of around 800 students and 300-400 employees, upgrading our single core cisco 6509E switch to redundant core with VSS (not sure which switch model we will get) . We use only ACLs now but i suppose that is not enough security ? and we are looking to use Azure for all our 20 servers and for storage and backup in future so would need a Site-to-Site VPN capable device.

Questions are that:

If we need firewall that need to be a pair of devices for redundancy connecting to both the core switches and same goes for firewall modules ?

What are the features which a firewall must have to mention in the requirements document ? as we are a school not a bank so just need some basic features.

How do i know how much throughput (capability) i need for our firewalls ?

Dennis Mink · ‎02-14-2018

Let me kick this off. If you have a redundant core using VSS, you dont necissarily need a redundant firewall, but you can. you can have a HA ASA Pair for fail over or have one ASA with a port channel: one link from asa to switch A and one to switch B, but port channeled.

Please remember to rate useful posts, by clicking on the stars below.

mateens · ‎02-14-2018

Yes, but wouldn't that firewall again be a single point of failure in the network ?

Dennis Mink · ‎02-16-2018

yes it would be, unless you deploy 2 firewalls, with two internet connections. run BGP between them and your ISP.

Please remember to rate useful posts, by clicking on the stars below.

jimholla · ‎02-14-2018

Are you asking about running a firewall in Azure or on premises?

Regards...Jim

mateens · ‎02-14-2018

On premises. As far as i understand that to connect Azure to on premises network a Site-to-Site VPN capable device would be needed locally. And we also need some firewall functionality to get some better protection than ACLs.

Marvin Rhoads · ‎02-15-2018

Questions are that:

If we need firewall that need to be a pair of devices for redundancy connecting to both the core switches and same goes for firewall modules ?

What are the features which a firewall must have to mention in the requirements document ? as we are a school not a bank so just need some basic features.

How do i know how much throughput (capability) i need for our firewalls ?

A pair of firewalls with IPS features like ASA 55xx and Firepower service modules or ASAs / Firepower appliances running FTD is recommended.

Your network and systems as a whole need to be protected against current and evolving threat landscape. An edge firewall is just one piece of that. Equally (if not more) is protecting yourself with endpoint protection (like AMP for Endpoints) and DNS-based protection (like Umbrella).

As far as throughput, what's your Internet connection speed, how much of it do you use and what's the trend / projection? If you don't monitor it, you should or maybe your provider can provide some metrics. That number is an important one in choosing the right firewall as functional features are almost the same across a broad range of models

mateens · ‎02-16-2018

Endpoint protection is in place just working out the edge firewall piece. We have 1G Internet connection speed. Last weeks average traffic in/out was around 200Mbits/s . We are connected to ISP`s managed router on a 10G physical link.

So the firewall throughput should be 500 Mbits or 1G ? keeping in mind Azure migration in near future.

Marvin Rhoads · ‎02-16-2018

The Firepower 2110 with FTD image would be a good choice as it has 2 Gbps throughput with all features active.

If you run a pair of them you should manage them with a 2-device license of Firepower Management Center running on a VM (assuming you have an ESXi or KVM virtualization environment).

mateens · ‎02-23-2018

Hi,

Thanks for help. Specs for 2110 say IPSec VPN Throughput is 750 Mbps. As we are planning to put all our servers in Azure and connect with them via VPN do you think this throughput would be enough for us ?

Traffic on our server VLAN is around 500 Mbits avg.

Marvin Rhoads · ‎02-24-2018

That should be fine.

When you move all the servers to Azure, I'd assume their storage and backup will be done in the Azure cloud too. That probably accounts for a significant portion of your current traffic on your server VLAN.

mateens · ‎02-26-2018

Yes we would be moving storage and backup there too. So that do not need to go through VPN connection with Azure ? Can you point me to some document which could clear my confusion , Thanks

Marvin Rhoads · ‎02-26-2018

No general document is going to account for your exact use case.

It should be provable though given some detailed analysis of your current utilization statistics.

mateens · ‎02-26-2018

I can share stats, can you guide me in the right direction a bit further?

Marvin Rhoads · ‎02-27-2018

Ideally something like Netflow data would give you a good idea of how much traffic to the server subnet is user traffic vs traffic for storage and server-server things.