Solved: Re: Core Firewall

David Santos · ‎05-16-2012

Hello everyone,

right now and with straight colaboration with Cisco i´m changing a customer network from deep. A issue has been lifted about the advantages of changing a 6500 core to a firewall core in the backbone of the network. I´ve got my doubts about putting a firewall in the middle of the network and using the 6500 just for L2.

Can someone give me a few arguments for using a core firewall in this client?

PS: The client as a lot of users

hobbe · ‎05-16-2012

Hi

The design with a core firewall is one that many security engineers likes.

However the design might easily meet the credentials of a smaller network but a large network with much throughput and loads of sessions the advantage of security might have the drawback of high cost in both the hardware aswell as manhours.

in many cases the company "only" needs the added security of an access-list and a good policy.

In this case you might have the possibility to do both.

The 6500 have a firewall blade

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

I have come across this in many instances where they simply just want to have control over access between networks but I have never used the 6500 blade since it just have been overkill for the task at hand.

so what are the pros and cons

Firewall core

PRO

Excellent control over traffic that comes and goes in the network

VPN Might be used internally

Good security

Lacks support for protocols

CONs

Costly both in manhours and equipment hardware

Risks becoming a bottleneck (Slow/new sessions /s)

Dislikes large datastreams through it.

Lacks support for protocols

Switch/Router Core

PRO

Excellent traffic forwarding capabilities

No problems with large datastreams such as backups

Multi protocol solutions

Cost of the devices

Cons

Less security features ? less control in network

Passing more different types off protocols that can avoid security devices

And then we have a third option

Collapsed Firewall Core

A core with the firewalls in the junktions and with a switched/routed core

Pros

Realistic way of doing security in a very large network with multigig streams over large areas.

Many units wich gives that if one breaks you can cannibalise the network in another place if need be to allways keep the important parts up.

Cons

Can be an absolute nightmare to manage if it is not tightly controlled from the begining

Many units

many change points.

Good luck

HTH

View solution in original post

hobbe · ‎05-16-2012

Hi

The design with a core firewall is one that many security engineers likes.

However the design might easily meet the credentials of a smaller network but a large network with much throughput and loads of sessions the advantage of security might have the drawback of high cost in both the hardware aswell as manhours.

in many cases the company "only" needs the added security of an access-list and a good policy.

In this case you might have the possibility to do both.

The 6500 have a firewall blade

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

I have come across this in many instances where they simply just want to have control over access between networks but I have never used the 6500 blade since it just have been overkill for the task at hand.

so what are the pros and cons

Firewall core

PRO

Excellent control over traffic that comes and goes in the network

VPN Might be used internally

Good security

Lacks support for protocols

CONs

Costly both in manhours and equipment hardware

Risks becoming a bottleneck (Slow/new sessions /s)

Dislikes large datastreams through it.

Lacks support for protocols

Switch/Router Core

PRO

Excellent traffic forwarding capabilities

No problems with large datastreams such as backups

Multi protocol solutions

Cost of the devices

Cons

Less security features ? less control in network

Passing more different types off protocols that can avoid security devices

And then we have a third option

Collapsed Firewall Core

A core with the firewalls in the junktions and with a switched/routed core

Pros

Realistic way of doing security in a very large network with multigig streams over large areas.

Many units wich gives that if one breaks you can cannibalise the network in another place if need be to allways keep the important parts up.

Cons

Can be an absolute nightmare to manage if it is not tightly controlled from the begining

Many units

many change points.

Good luck

HTH

David Santos · ‎05-16-2012

HTH,

this is really a nice answer for me. Now i´ve cemented the PRO´s and CON´s for this. I really suspected that this type of design was a thing for Security Engineers.

Tnx once again.