Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
12
Replies

Firewall Implementation

Go to solution
Maro.Cisco
Level 1
Level 1

‎06-27-2013 02:55 AM - edited ‎03-11-2019 07:04 PM

Is it advisable to place a firewall infront of my server farm???? and why                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-28-2013 10:27 PM

Hello Maro,

That depends, if it's just for wireless users you could place it on the same vlan than them (so the ASA does not need to handle that process{Redirect traffic to the Websense server}) but if you need to forward the traffic from multiple subnets you will then need to consider using the ASA to redirect the traffic to those proxies,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎06-27-2013 08:40 AM

Firewall questions should be posted in the Security Firewall forum. This forum is strictly wireless.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-28-2013 09:03 PM

Hello Maro,

A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,

So if you place a firewall in front of a server farm that will protect them it would be amazing,

Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Julio Carvajal

‎06-28-2013 09:20 PM

ok what do u think about this implementation ,

i have servers that will be exposed to the internet access , also i have server farm which will be used to internal use , now what do u think of this design , Internet-----Redundant Firewall1 with IPS------Firewall 2----------Core switch -------------Distributuion switchs-------------End user.


Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS and EMail server

Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-28-2013 09:30 PM

Hello Maro,

It's looks like you will need to be less restrictive on the Outside firewall as you will have some servers on the DMZ but you can be as restrictive as you want on the 2 ASA,

I like the approach as you are not just adding one layer of security, you are going beyond that which is pretty good,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Julio Carvajal

‎06-28-2013 09:46 PM

Thank you but one last question , i have bluecoat which is acting as a internet proxy server to wireless users and websense for lan users access where shall i place those devices ???

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-28-2013 10:27 PM

Hello Maro,

That depends, if it's just for wireless users you could place it on the same vlan than them (so the ASA does not need to handle that process{Redirect traffic to the Websense server}) but if you need to forward the traffic from multiple subnets you will then need to consider using the ASA to redirect the traffic to those proxies,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Julio Carvajal

‎06-28-2013 11:24 PM

yes for being restrictive on the firewall2 which is connected to server farm and internal users , the link connected to firewall1 will be level 0 thus no traffic will be allowed by default from firewall1 going to server farm or internal users, on the otherhand traffic from internal users to serverfarm will be allowed as they will have a higher level security but i would even make policy that traffic going from internal users to server farm would be allowed based on specific servers ports.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-29-2013 08:41 AM

Hello Maro,

Excellent,

I have sent you a private message

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Julio Carvajal

‎06-30-2013 06:10 AM

Hello Jcarvaja ,

im not sure if i got your point about where to attach my websense and bluecoat servers should it be connected to the outside firewall or the 2nd firewall which is better as best practise???.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-30-2013 09:12 AM

Hello Maro,

I meant to say:

I guess you are gonna use it to filter the traffic being generated by the inside users right?

So you could place it on the same interface than the clients, in this way traffic will reach the ASA and go redirected to the right server so traffic can be filtered,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Julio Carvajal

‎06-30-2013 09:42 AM

i was thinking to connect my bluecoat server ( guest wireless users) and my websense ( Wired internet traffic) to Firewall1 DMZ interface ???? so upload traffic going from internal users to internet will be PC>>Distrubtion switch > Core Switch >>> Firewall2 >>>> Firewall 1 >>> DMZ >>Blue Coat / Websense>>>Firewall1 >>>> Internet????

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎06-30-2013 10:10 AM

Hello Maro,

I mean, you should redirect the traffic at the firewall level and it should work,

No problem at all where you place it, it just that depending where you place it traffic will need to go further,

But again if everything is properly configured you should be good

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card