Solved: Multiple DMZs

gdrandles · ‎08-20-2011

Scenario:

I would like to setup multiple DMZs for our hosting servers. Currently there is a single DMZ in which our reverse proxy servers are connected using a public IP address. The idea is to have the reverse proxy forward the request from the Internet to the hosting servers in another DMZ. The purpose of the hosting DMZ is to protect it from the outside as well as from the inside. There will also be a development DMZ where we can test content prior to going live with the website.

Network:

We currently have two Cisco 6509's (Core) with a FWSM in each running active/stanby configuration. There is a 10Gb Fiber connection between each Cisco switch to two Cisco 4948s (Top of Rack Switches). I can either setup OSPF or Trunking between the core and top of rack switches. The Cisco 4948s will support VLAN 7 (hosting DMZ 10.0.7.0/24) and VLAN 8 (development DMZ 10.0.8.0/24). Each webserver is connected to both Cisco 4948 for redundancy.

Question:

If I have a single interface connecting both VLANs 7 and 8, either through Layer 2 or 3, then how can pass both DMZ traffic to the appropriate servers? The reason why the servers are in the same rack connected to the same two switches is that we are using Blade Servers and VMWare.

Thanks in advance

Jon Marshall · ‎08-22-2011

Damien

You could route between the 6500s and the 4900s using OSPF and still firewall but it depends on how you set it up. The issue with routing is that it means you have L3 SVIs (vlan interfaces) for the DMZ servers. This is not generally recommended because DMZs bu their nature are routed off the actual firewall.

If you route using L3 SVI then in effect you have placed a router in the DMZ and although there are exceptions where this is sometimes done they really are exceptions. If you ran a trunk from the 6500s to the 4948s then the routed interfaces for the DMZs are actually on the FWSM so the traffic from your DMZ servers has to go through a firewall to get to anything else. This is exactly what a DMZ should do.

However there are some designs where for example you are happy to have the firewalled vlans communicate with each other without firewalling but that you need to protect these vlans from outside access so you put a firewall in front of them eg.

outside -> FWSM -> MSFC -> firewalled vlans

in the above case it could make perfect sense to have the 6500s and 4900s connecting using routing and have their L3 SVIs on either the 6500s or 4900s. But with the above you would need to ensure there were no backdoors eg. you wouldn't want another path from the outside that somehow connects and routes of the MSFC.

So without more details it's difficult to say exactly what you need. On a general note if they really are meant to be DMZs then as i say it is better to have their routing handled by the firewall. If the DMZs do need to talk to each other with firewalling you can still setup them up on the firewall and then simply give them the same security level and allow inter security interface traffic.

Jon

View solution in original post

Jon Marshall · ‎08-21-2011

Question:

If I have a single interface connecting both VLANs 7 and 8, either through Layer 2 or 3, then how can pass both DMZ traffic to the appropriate servers? The reason why the servers are in the same rack connected to the same two switches is that we are using Blade Servers and VMWare.

Thanks in advance

Not entirely sure what you mean by single interface. Do you mean the 10Gbps fiber connection from the 6500 the 4900 ?

The way to do this would be make the links a trunk link between the 6500s and 4948s and then have the L3 vlan interfaces for vlans 7 and 8 on the FWSM.

Jon

gdrandles · ‎08-22-2011

Jon,

Currently I have one DMZ where the reverse proxy lives. The appliance is connected to gig 7/47 and is a memeber of VLAN 200. VLAN 200 is assigned to the FWSM and has a public IP. I want to create two more DMZs (DMZ2 and DMZ3). What you are saying is that I would not be able to run OSPF between the Cisco core switches and the Cisco top of rack switches. I would be better off creating a trunk between the 4 switches and add two additional VLANs to my firewall vlan-group. I have been told that you can pass vlans through a routed link but I want to do it right. This hasn't been setup yet so I can go with which is best practices. Hopefully it makes a little more sense now.

Thanks,

Damien

Jon Marshall · ‎08-22-2011

Damien

You could route between the 6500s and the 4900s using OSPF and still firewall but it depends on how you set it up. The issue with routing is that it means you have L3 SVIs (vlan interfaces) for the DMZ servers. This is not generally recommended because DMZs bu their nature are routed off the actual firewall.

If you route using L3 SVI then in effect you have placed a router in the DMZ and although there are exceptions where this is sometimes done they really are exceptions. If you ran a trunk from the 6500s to the 4948s then the routed interfaces for the DMZs are actually on the FWSM so the traffic from your DMZ servers has to go through a firewall to get to anything else. This is exactly what a DMZ should do.

However there are some designs where for example you are happy to have the firewalled vlans communicate with each other without firewalling but that you need to protect these vlans from outside access so you put a firewall in front of them eg.

outside -> FWSM -> MSFC -> firewalled vlans

in the above case it could make perfect sense to have the 6500s and 4900s connecting using routing and have their L3 SVIs on either the 6500s or 4900s. But with the above you would need to ensure there were no backdoors eg. you wouldn't want another path from the outside that somehow connects and routes of the MSFC.

So without more details it's difficult to say exactly what you need. On a general note if they really are meant to be DMZs then as i say it is better to have their routing handled by the firewall. If the DMZs do need to talk to each other with firewalling you can still setup them up on the firewall and then simply give them the same security level and allow inter security interface traffic.

Jon