Where to place Data Center Firewalls?

arbakhtiari · ‎01-08-2018

Hi,

I've been asked to rethink the architecture of a small public Data Center which currently is equipped with only a pair of ISR 3900 and a Catalyst 6500 switches at its edge and core layer (no distribution).

I've been scratching my head as to where I should put a pair of third party Firewalls in this structure. On one hand there is the edge layer which needs to have a Firewall to handle tasks, on the other hand, I think we need to have a pair of firewall after the core switches to be able to do zone segmentation.

This is a public Data Center aiming to provide IaaS cloud services and user access restrictions should be implemented.

The budget is limited and we're allowed to have only one pair of Firewalls.

Should we put any address translation and port filtering tasks on the ISR, ignore the edge Firewall and implement the Firewall after the core layer?

Rick1776 · ‎01-08-2018

It really depends on what your security mandates are. Typically what I see in the DC’s I build is that there is a services layer, this can be off a DMZ off a edge pair of firewalls or off a edge switch that connects straight to the 3900 series routers. Are there services behind these firewalls that have to be accessed by non 3rd party groups. Also know a days depending on your firewall you can have virtual firewalls for different services.
This is a pretty good link.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap4.html

arbakhtiari · ‎01-09-2018

Thanks for the answer.

Provided that the Data Center will be used to sell services to 3rd party customers, either on collocation, VPS or Cloud, I believe every customer should be segmented into separate zones.

The Cloud service is new, providing Iaas and Paas. I understood that the Cloud platform already offers a bunch of virtualized networking and firewalling capabilities, but that's within the Cloud itself and once out of it, the user might be able to wander around in the data center if there is no restricting policy.

Of course, as customers they may want to launch different kinds of services and I believe we should be providing them with a virtual FW interface so they can configure ports and translate addresses or have packet inspection activated on their services.

I've been looking into different CVD docs and the Safe document, but just can't understand if what I have in mind is feasible with only one pair of Firewalls.

-if we move the FW to the Edge, segmentation might not be feasible as the Core switches will handle the routing between the subnets.

-if we move the MLS to the Edge and FW to the core for segmentation and interVLAN routing, Address Translation should then be done on the ISR and we can't handle individual cases for every customer.

Let alone the additional services for WAF and IPS at the Service layer...

Am I wrong? or is there any ways we can make that work with the use of VRF or something?

arbakhtiari · ‎02-16-2018

I actually found the answer to my question through Cisco VMDC documents:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/Cloud_Security/1-0/DG/ICSecurity.html

It is possible to virtually put the Firewall (and whole service layer) in-between Aggregation switches thanks to VRFs.

Now I have a new question. When speaking about tenant containers, it is mentioned that in the Bronze containers the traffic doesn't go through the FW/IPS and is directly forwarded towards the tenant servers.

Knowing that the FW is responsible for NATing the traffic for gold containers, how is the NAT process handled for bronze if it doesn't go through the FW?
Do they have the public IP address directly set on their server or is it done on the edge Router, in which case it will add burden on the admin team to manage it?

arbakhtiari · ‎02-21-2018

Anyone???