Solved: Re: Combining multiple DMZs into a single DMZ

fsbiz · ‎07-21-2023

Hi,

Looking for suggestions here.

I currently manage multiple sites each of which has its own DMZ. E.g. sites in Los Angeles, San Francisco, San Diego, Seattle, etc. mostly along the west coast. Each site hosts its own servers in the DMZ.

As a long term project I am looking to migrate all the sites to a Zero Trust Network. For phase 1, I'd like to combine the multiple DMZs to a single DMZ which I think will make the ZTN migration easier.

All the sites are connected by our private network also. Each site will still host its public facing documents but instead of having a separate DMZ for each site I'd like a single DMZ in (say) San Francisco. Any suggestions on the kind of architecture you'd use are welcome.

Flavio Miranda · ‎07-22-2023

@fsbiz I think the question to be answered is can you mix up the traffic or not. If you can, you can easilly build this with VPN or even with the topology you have today.

Basically what you need is advertise the DMZ network from San Francisco to the other places and send the traffic to San Francisco DMZ.

But lets say you are not allowed to mix up the DMZ traffic with local network traffic for security reason. Só what would you do ?

You can not fix it with simple VPN tunnel.

SDWAN have this capacity of creating different Collors and allow you to securilly pass traffic inside encrypted tunnel without mixing up.

You can also change the topology from full mesh to hub and spoke by configuration and without touching the physical network.

The DMZ network could be a hub and spoke topology in which San Francisco could be the hub while the others site are the spokes.

Whilst your local network could be a full mesh network as they can talk each other directly.

When it comes to cost, SDWAN, just like VPN, can allow you to build the topology over internet connection while is much less cost then MPLS.

But the problem is that SDWAN means a lot of change. Depending on your current routers, you may need to change them all.

View solution in original post

Flavio Miranda · ‎07-21-2023

Hello @fsbiz

How do you interconnect all this sites? Do you have any high level diagram you can share? If I understood correctly, instead a host in Los Angeles call the server on the local DMZ it will call a remote server in the San Francisco DMZ, right?

fsbiz · ‎07-21-2023

Hi Flavio,

Thanks for the response. The internal (protected) networks in all sites are connected by a private network,

See attached diagram. The goal is to remove the DMZ in site 2. Site 2 will still have publicly accessible content but all that should be accessible only via the DMZ in site 1.

Flavio Miranda · ‎07-21-2023

Private network means VPN?

If VPN you are going to transport the DMZ traffic from remotes sites along with all other traffic. Is that ok?

SDWAN would be perfect on this scenario.

fsbiz · ‎07-21-2023

>Private network means VPN?

Yes. Some sites have VPN connections, some sites are connected using carrier MPLS, and some sites have private leased lines.

Flavio Miranda · ‎07-21-2023

Take a look on the SDWAN technology. It would allow you to use only internet for interconnection. Which cost much less than MPLS.

Would allow you to securily split your traffic inside independent tunnels.

You can create local breakouts with DIA.

fsbiz · ‎07-22-2023

Thanks Flavio.

I'm familiar with SDWAN. I don't want to make too many changes to the architecture. At this point there are no plans to make any changes with the way the internal networks are connected. The goal is to simply combine multiple DMZs into a single DMZ. Can you elaborate how I can use SDWAN to do this?

Flavio Miranda · ‎07-22-2023

@fsbiz I think the question to be answered is can you mix up the traffic or not. If you can, you can easilly build this with VPN or even with the topology you have today.

Basically what you need is advertise the DMZ network from San Francisco to the other places and send the traffic to San Francisco DMZ.

But lets say you are not allowed to mix up the DMZ traffic with local network traffic for security reason. Só what would you do ?

You can not fix it with simple VPN tunnel.

SDWAN have this capacity of creating different Collors and allow you to securilly pass traffic inside encrypted tunnel without mixing up.

You can also change the topology from full mesh to hub and spoke by configuration and without touching the physical network.

The DMZ network could be a hub and spoke topology in which San Francisco could be the hub while the others site are the spokes.

Whilst your local network could be a full mesh network as they can talk each other directly.

When it comes to cost, SDWAN, just like VPN, can allow you to build the topology over internet connection while is much less cost then MPLS.

But the problem is that SDWAN means a lot of change. Depending on your current routers, you may need to change them all.

MHM Cisco World · ‎07-22-2023

SDWAN !!!

You have mpls between sites ?

MHM Cisco World · ‎07-23-2023

You can solve this issue without SD-WAN ( SD -WAN !!!)

But it need some work.

Do you really need solution or you are OK ?