Solved: Re: FWSM not a best practice in data center? - Page 2

poulid · ‎02-14-2008

Hello. We are in the middle of building a data center at a co-location facility, and are planning on using FWSM modules in our redundant 6500' to "zone" the network there. Basically what we are being told is that each subnet in this new data center will be treated as a separate security zone, with each zone not being able to access the other except on specified ports.

Our server access layer will consist of 4 4948-10G switches (we think), trunked into the core 6500'. This will force traffic through the FWSM, allowing it to be policed.

All of a sudden the company has brought in a "senior" guy to oversee the entire project, and he tells us that it is not best practice to have the FWSM zoning the networks, because if the core switch/FWSM is hacked, the entire network is exposed. We are arguing that this is indeed the case with whatever FW you use.

This is only for the internal side of the network, as we will have a pair of checkpoint firewalls on the perimeter protecting us from public traffic. He has proposed an ASA 5510 instead of the FWSM, with each subnet being on a different DMZ/interface. This immediatley throws up two red flags, throughput and scalability. The ASA has a maximum of 8 ports, and we currently have 8 different subnets that need to be separated. Also, backups will run through this network, and having that amount of traffic traversing the ASA doesn't seem realistic.

Is there any merit in what he is saying? I've always been under the impression that the FWSM was designed almost for this exact situation.

poulid · ‎03-14-2008

Sorry to resurrect this conversation, but if a so-called expert came in and said it would be a great idea to change the pair of 6500's with FWSM modules, and put in a pair of ASA5520's instead, what would you say to this person? He says it will be fine to use the 5520 to zone the network, which will contain 60 servers to start. I really don't think the 5520 is designed for this, is it?

Jon Marshall · ‎03-14-2008

Hi

If someone proposes to replace what is an expensive piece of hardware with another expensive piece of hardware, presumbaly expensive because you will need high end ASA for your throughput requirements, then they need to justify why they want to do it.

It might well be fine to use ASA's to firewall your internal network but why can't the FWSM's do the same thing. Is there additional functionality needed that is not supported by the FWSM's ?

Perhaps you could go into a bit more detail as to why your consultant thinks it is such a great idea ?

Jon

poulid · ‎03-14-2008

The consultant is actually trying to replace two 6500's with two ASA 5520's, and is trying to tell management that it is the same thing. Cost seems to be the motivating factor for his argument, since the 6500 with the FWSM is about $50K, whereas the 5520 is only $8K. Essentially the 5520 becomes the 'core' of the network.

He is proposing that each zone would plug into a different interface on the 5520, allowing each network to be secured. Right off the bat I see scalability issues, since we will have at least 6 subnets to start off.

His idea just seems very mickey mouse to me.

Jon Marshall · ‎03-14-2008

It is difficult to be specific and say one solution is right and one wrong without a full set of requirements. I have seen both extremes in my career

1) A completely overspecced solution with 4 6500's, multiple pix firewalls for approx 20 servers

2) A DC setup based around 3550 switches etc with gigabit throughput requirements/QOS/ACL's etc.

What does concern me is

1) An asa 5520 at core of a Data Centre network with servers moving large amounts of data. That is one of the main reasons for using an FWSM.

2) The lack of future scalability.

8k vs 50k may sound like a lot but in terms of a DC setup and often compared to the cost of servers/software licenses it is not. You should always allow extra capacity for future requirements in your design.

What i really find worrying is that it seems to be ASA 5520's vs 6500/FWSM's. Even if you chose not to go with the FWSM's i would still recommend using a pair of switches to connect up the 4948's and 6500's are the logical choice.

I don't know what your budget is, what proportion of the budget 50k accounts for, what the future plans are for the DC but presented with the details you have so far provided i would say

1) At the very least use a separate pair of switches to interconnect all your 4948 server switches

2) The FWSM is a reasonable choice and i wouldn't necessarily argue against it but there are other alternatives and you don't have to use the FWSM simply because you have a 6500 chassis.

A saving of 42k won't look that great if in 6 months time you find you need another 5 subnets and you can't get your backups completed in time.

HTH

Jon

poulid · ‎03-14-2008

Thanks again Jon. Another idea I've been kicking around now that mangement seems to really be focusing on cost; what if we plugged all of our servers into a stack of 3750E's, and zoned the networks simply using VACL's? Would the 3750E be able to process the VLAN ACL's fast enough, or would this become the bottleneck. Is this even a reasonable alternative?

The stack could then uplink into a firewall device, at that point probably the 5520, or maybe a 5540. Throughput on the firewall would not be a concern, since server to server traffic would not traverse the firewall, it would stay local to the stack.