07-21-2023 03:00 PM
Hi,
Looking for suggestions here.
I currently manage multiple sites each of which has its own DMZ. E.g. sites in Los Angeles, San Francisco, San Diego, Seattle, etc. mostly along the west coast. Each site hosts its own servers in the DMZ.
As a long term project I am looking to migrate all the sites to a Zero Trust Network. For phase 1, I'd like to combine the multiple DMZs to a single DMZ which I think will make the ZTN migration easier.
All the sites are connected by our private network also. Each site will still host its public facing documents but instead of having a separate DMZ for each site I'd like a single DMZ in (say) San Francisco. Any suggestions on the kind of architecture you'd use are welcome.
Solved! Go to Solution.
07-22-2023 05:07 PM - edited 07-22-2023 05:12 PM
@fsbiz I think the question to be answered is can you mix up the traffic or not. If you can, you can easilly build this with VPN or even with the topology you have today.
Basically what you need is advertise the DMZ network from San Francisco to the other places and send the traffic to San Francisco DMZ.
But lets say you are not allowed to mix up the DMZ traffic with local network traffic for security reason. Só what would you do ?
You can not fix it with simple VPN tunnel.
SDWAN have this capacity of creating different Collors and allow you to securilly pass traffic inside encrypted tunnel without mixing up.
You can also change the topology from full mesh to hub and spoke by configuration and without touching the physical network.
The DMZ network could be a hub and spoke topology in which San Francisco could be the hub while the others site are the spokes.
Whilst your local network could be a full mesh network as they can talk each other directly.
When it comes to cost, SDWAN, just like VPN, can allow you to build the topology over internet connection while is much less cost then MPLS.
But the problem is that SDWAN means a lot of change. Depending on your current routers, you may need to change them all.
07-21-2023 03:23 PM
Hello @fsbiz
How do you interconnect all this sites? Do you have any high level diagram you can share? If I understood correctly, instead a host in Los Angeles call the server on the local DMZ it will call a remote server in the San Francisco DMZ, right?
07-21-2023 03:51 PM
Hi Flavio,
Thanks for the response. The internal (protected) networks in all sites are connected by a private network,
See attached diagram. The goal is to remove the DMZ in site 2. Site 2 will still have publicly accessible content but all that should be accessible only via the DMZ in site 1.
07-21-2023 04:02 PM
Private network means VPN?
If VPN you are going to transport the DMZ traffic from remotes sites along with all other traffic. Is that ok?
SDWAN would be perfect on this scenario.
07-21-2023 04:07 PM
>Private network means VPN?
Yes. Some sites have VPN connections, some sites are connected using carrier MPLS, and some sites have private leased lines.
07-21-2023 04:25 PM - edited 07-21-2023 04:26 PM
Take a look on the SDWAN technology. It would allow you to use only internet for interconnection. Which cost much less than MPLS.
Would allow you to securily split your traffic inside independent tunnels.
You can create local breakouts with DIA.
07-22-2023 12:59 PM
Thanks Flavio.
I'm familiar with SDWAN. I don't want to make too many changes to the architecture. At this point there are no plans to make any changes with the way the internal networks are connected. The goal is to simply combine multiple DMZs into a single DMZ. Can you elaborate how I can use SDWAN to do this?
07-22-2023 05:07 PM - edited 07-22-2023 05:12 PM
@fsbiz I think the question to be answered is can you mix up the traffic or not. If you can, you can easilly build this with VPN or even with the topology you have today.
Basically what you need is advertise the DMZ network from San Francisco to the other places and send the traffic to San Francisco DMZ.
But lets say you are not allowed to mix up the DMZ traffic with local network traffic for security reason. Só what would you do ?
You can not fix it with simple VPN tunnel.
SDWAN have this capacity of creating different Collors and allow you to securilly pass traffic inside encrypted tunnel without mixing up.
You can also change the topology from full mesh to hub and spoke by configuration and without touching the physical network.
The DMZ network could be a hub and spoke topology in which San Francisco could be the hub while the others site are the spokes.
Whilst your local network could be a full mesh network as they can talk each other directly.
When it comes to cost, SDWAN, just like VPN, can allow you to build the topology over internet connection while is much less cost then MPLS.
But the problem is that SDWAN means a lot of change. Depending on your current routers, you may need to change them all.
07-22-2023 01:19 PM
SDWAN !!!
You have mpls between sites ?
07-23-2023 10:22 AM
You can solve this issue without SD-WAN ( SD -WAN !!!)
But it need some work.
Do you really need solution or you are OK ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide