Server setup in DMZ Environment

Mikey John · ‎08-11-2014

Hi,

Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.

Proposed Setup

1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
3) The APP server and Jump server is placed behind the Server switches.

Requirement

1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
2) Internal (Corporate) users need to access the Jump server and App server.
3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment

Questions

1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?

Appreciate your inputs.

Cheers

Mikey

Mikey John · ‎08-11-2014

Could anyone please reply to this.

Thanks in advance.

Mikey John · ‎08-12-2014

Hi,

Can anyone please reply to this? Or else please guide me if I need to take this to another forum?

Thanks

Mikey

nkarthikeyan · ‎08-12-2014

Hi Mikey,

I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....

So your design requires some change in order to have a better architecture....

internet

|

router

|

external SW

|

internet facing firewalls

|

DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).

Internet facing Firewall

|

LAN Interface SW (Inside Interface of the firewall)

|

LAN FW (If you really want to keep it)

|

Corporate Network

Regards

Karthik

Mikey John · ‎08-14-2014

Hi Karthik,

Thanks for your reply. My Corporate Zone is not behind the DMZ as such. I have just depicted that the DMZ FW separates my corporate zone from the External network or External DMZ if you would say.

So, if the traffic from outside follows this path, then would it make sense to have a separate pair of switches behind the DMZ switches to connect those servers? This is for making it more scalable (in case more servers come in)

Internet--> External switch--->External FW--->DMZ Sw--->Jump servers

Thanks

Mikey

nkarthikeyan · ‎08-14-2014

Yeah. for outside users to access through VPN for the application server access....

internet -->external switch -->internet fw (dmz interface)-->dmz-sw--server LAN (Jump/App Server)

If it is for the corporate users:

internet -->external switch -->internet fw (inside interface)-->corp lan network

you can make inside to dmz or dmz to inside access for corp users access...

you can tweak as per your requirement.

Regards

Karthik

nkarthikeyan · ‎08-12-2014

HI Mikey,

So of you keep the setup like that... then you can terminate your ipsec VPN on the internet firewall.... providing access to the dmz server i.e. jump server and app server for your external clients...... authentication you can point your DC in aaa configurations for VPN to inside AD/DC server....

So your corporate users can access jump server and application server from corporate network....

corp network-->inside interface --> dmz--->app and jump servers

corp network --->inside interface -->outside -->general internet access

external clients -->outside interface-->dmz zone -- app and jump servers

so all these would be possible in that way......

Regards

Karthik