06-27-2013 02:55 AM - edited 03-11-2019 07:04 PM
Is it advisable to place a firewall infront of my server farm???? and why
Solved! Go to Solution.
06-28-2013 10:27 PM
Hello Maro,
That depends, if it's just for wireless users you could place it on the same vlan than them (so the ASA does not need to handle that process{Redirect traffic to the Websense server}) but if you need to forward the traffic from multiple subnets you will then need to consider using the ASA to redirect the traffic to those proxies,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-27-2013 08:40 AM
Firewall questions should be posted in the Security Firewall forum. This forum is strictly wireless.
Sent from Cisco Technical Support iPhone App
06-28-2013 09:03 PM
Hello Maro,
A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,
So if you place a firewall in front of a server farm that will protect them it would be amazing,
Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-28-2013 09:20 PM
ok what do u think about this implementation ,
i have servers that will be exposed to the internet access , also i have server farm which will be used to internal use , now what do u think of this design , Internet-----Redundant Firewall1 with IPS------Firewall 2----------Core switch -------------Distributuion switchs-------------End user.
Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS and EMail server
Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.
06-28-2013 09:30 PM
Hello Maro,
It's looks like you will need to be less restrictive on the Outside firewall as you will have some servers on the DMZ but you can be as restrictive as you want on the 2 ASA,
I like the approach as you are not just adding one layer of security, you are going beyond that which is pretty good,
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-28-2013 09:46 PM
Thank you but one last question , i have bluecoat which is acting as a internet proxy server to wireless users and websense for lan users access where shall i place those devices ???
06-28-2013 10:27 PM
Hello Maro,
That depends, if it's just for wireless users you could place it on the same vlan than them (so the ASA does not need to handle that process{Redirect traffic to the Websense server}) but if you need to forward the traffic from multiple subnets you will then need to consider using the ASA to redirect the traffic to those proxies,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-28-2013 11:24 PM
yes for being restrictive on the firewall2 which is connected to server farm and internal users , the link connected to firewall1 will be level 0 thus no traffic will be allowed by default from firewall1 going to server farm or internal users, on the otherhand traffic from internal users to serverfarm will be allowed as they will have a higher level security but i would even make policy that traffic going from internal users to server farm would be allowed based on specific servers ports.
06-29-2013 08:41 AM
Hello Maro,
Excellent,
I have sent you a private message
Regards,
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 06:10 AM
Hello Jcarvaja ,
im not sure if i got your point about where to attach my websense and bluecoat servers should it be connected to the outside firewall or the 2nd firewall which is better as best practise???.
06-30-2013 09:12 AM
Hello Maro,
I meant to say:
I guess you are gonna use it to filter the traffic being generated by the inside users right?
So you could place it on the same interface than the clients, in this way traffic will reach the ASA and go redirected to the right server so traffic can be filtered,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 09:42 AM
i was thinking to connect my bluecoat server ( guest wireless users) and my websense ( Wired internet traffic) to Firewall1 DMZ interface ???? so upload traffic going from internal users to internet will be PC>>Distrubtion switch > Core Switch >>> Firewall2 >>>> Firewall 1 >>> DMZ >>Blue Coat / Websense>>>Firewall1 >>>> Internet????
06-30-2013 10:10 AM
Hello Maro,
I mean, you should redirect the traffic at the firewall level and it should work,
No problem at all where you place it, it just that depending where you place it traffic will need to go further,
But again if everything is properly configured you should be good
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide