Solved: Proper and Secure Network

Arsen Gharibyan · ‎04-28-2013

Hi everyone Im new In the CISCO i have CCNA and going after CCNA Security

Question 1

WHat Is the best place to put Firewall ? Before or after router ?

Question 2

Lets say budget is not a problem and we we have this ISP--ASA--Router--Layer3 switch--Layer2 switch , my question is what will router du in this scenario ? everything is in 192.198.x.x network so L3 SW can to alll routings and ASA also can do NAT

Question 3

Lets say ASA comes after Router that will make more sence ,we are protecting the Internal network BUT will that be secured enough ? and What about Site to Site VPN will that work normally or there is exta complicated configuratin needs to be done on ASA to forward that traffic ?

Vivek Ruhil · ‎04-28-2013

Hi

Yes, in this case you can have the ASA directly without the router assuming that this is the only traffic and everything that goes out will have to go through the firewall only and you don't have any external links directly on the 28xx router.

Also, you need to ensure that your Cat 3750 doesn't get overutilized.

Last, to keep your network secure you will need to have server traffic going via the Firewall to ensure that only authorized connections are allowed.

In order to ensure that your network can mitigate a attack from internet, you will need to have some other devices like the IPS/IDS which will ensure that if the Users PC Vlan is infected by internet it doesn't infect other VLANs. this will need that the Firewall acts as the Intervlan routing device.

View solution in original post

shillings · ‎04-29-2013

I wouldn't want to commit to anything based on a few posts. It will depend on the specifics of your requirements.

However, the 5512-X and 5515-X are certainly more powerful firewalls than the 5510. And their IPS functionality doesn't require a service module. However, the IPS is still configured separately to the main firewall.

The only routing your edge firewall should be doing is between inside, outside and any DMZ interfaces. In order words, it shouldn't be performing inter-VLAN routing for the LAN. That's best done by your core switch. Personally, if I wanted to secure any LAN servers behind a firewall (i.e. for PCI-compliance) then I'd use a dedicated firewall pair for that task.

Slightly out of scope, but bear in mind that if you want to make your edge firewall redundant, then you'll need a pair of layer-3 edge switches or pair of edge routers (fitted with switchport cards) on the outside of the ASA HA pair. This is in order to provide a broadcast domain for HSRP to function on the outside.

View solution in original post

Vivek Ruhil · ‎04-28-2013

Hi Arsen

Answer 1: It depends from network to network. In some networks, where you need a lot of routing to be done on the edge for example like going to the internet with a Full Routing Table, you would need the Router as the entry point in order to handle that amount of routing and then pass it on to the internal network. At the same time, networks where the routing is minimal you could use Firewall as the point of entry. Example: Internet connecting with just a default route.

Answer 2: Again depends on the situation, I mean if you have a high end L3 switch like 6500 then you don't need the router at all. And there can be situations where you just might need a router to do some important task example: extensive NAT or extensive routing. Remember the ASA or the L3 Switch will have there on capabilities, supposing you have an ASA and you have implemented an awful lot of security policies you would ideally want some other device to probably take care of routing or QOS or even NAT.

Answer 3: For site-to-site VPNs, you will need to allow the port that these VPNs will use. For the internal network to be secure, only Firewall might not make it completely secure as you will have only a set of policies to allow certain communication through. You might might need some more devices like the IDS/IPS from Cisco which has a lot of virus signatures encoded so as to avoid a viral attack in the network.

Arsen Gharibyan · ‎04-28-2013

Thank you for you deep explanation and time )

one more thing lets say isp--ASA 5510 --28xx router-- cat 3750--2960

and lets say we are using 192.168.0.0 with different flavors like --servers -- vlan 20 --192.168.20.0;

desktops vlans 30 192.168.30.0; printers vlans 40 192.168.40.0 (this acctualy an existing network)

so in my opinion in this network router will not do much , 3760 can handle all intervlan routing thats the major part we need, so Router will just forward traffic for outside to the ASA, in my opinion using ASA and router on the same level will be more productive , am i right ?

Vivek Ruhil · ‎04-28-2013

Hi

Yes, in this case you can have the ASA directly without the router assuming that this is the only traffic and everything that goes out will have to go through the firewall only and you don't have any external links directly on the 28xx router.

Also, you need to ensure that your Cat 3750 doesn't get overutilized.

Last, to keep your network secure you will need to have server traffic going via the Firewall to ensure that only authorized connections are allowed.

In order to ensure that your network can mitigate a attack from internet, you will need to have some other devices like the IPS/IDS which will ensure that if the Users PC Vlan is infected by internet it doesn't infect other VLANs. this will need that the Firewall acts as the Intervlan routing device.

Arsen Gharibyan · ‎04-29-2013

Thank you for ur reply , i really appreciate the time you sepnding on this

last thing in this scenari if i configure Zone based Firewall on the router will that work fine ?

i will have ASA on the endge with uotside world and zone based firewall will rpotect internal part in any cases the router is there so why not use all its power ? )

Vivek Ruhil · ‎04-29-2013

Hi

ZBF(Zone Based Firewall) will only be helpful if you need to allow certain flows from one side to other. However, if there is a threat in one part of the network and you want to avoid other parts of the network being hit you need signature based devices to detect well known threats.

Cisco IPS has a feature of global correlation that is connected to a central Cisco Server where a Signature Base of all the well known threats in the world are maintained and regularly updated, hence making sure that your network has an updated signature base.

shillings · ‎04-29-2013

I think a small network like this is unlikely to benefit from router (28xx) located between the firewall (5510) and core switch (3750). I agree with Vivek that your more likely to use the 28xx outside the ASA as an edge router.

Also, I'd be surprised to see all server traffic protected by your edge firewall. You only want WAN traffic routed up to the edge firewall, not LAN-side-only traffic. Your ASA isn't a switch and might struggle to cope.

ZBF is a stateful inspection firewall only. Whereas, your 5510 can be fitted with an IPS service module (although, you'd probably be better off replacing it with a 5512-X and integrated IPS, because the 5510 is now End-of-Life.) The 5510 can also intergrate with Cisco's Cloud Web Security product. This is essentially cloud-based URL filtering and Malware detection, but can be rolled out to homeworkers etc as well as corporate LAN clients.

Arsen Gharibyan · ‎04-29-2013

So basicly in this network router and ASA 5510 can be replaced by ASA 5515x wich im pretty much sure can handle routing and FW and IPS stuff , right ?

Vivek Ruhil · ‎04-29-2013

Hi

Before answering that could you let me know more details about the expectations from this network:

1. Your choice of routing protocol

2. Network Size, I mean how many sessions will be there.

3. Number of NAT translations expected

4. Network Throughput

5. Type of flows

Arsen Gharibyan · ‎04-29-2013

1. OSPF

2. 2 Servers and about 30 workstations

3. DM replication, and regular internet usage

4. hard to say

5. email,online form submistion, Vpn Clinets about 10

Vivek Ruhil · ‎05-02-2013

Hey Arsen

I also agree with shillings on his comments.

Also, the requirement seems to be small and in my personal opinion ASA5515-X should be able to cater your requirements.

shillings · ‎04-29-2013

I wouldn't want to commit to anything based on a few posts. It will depend on the specifics of your requirements.

However, the 5512-X and 5515-X are certainly more powerful firewalls than the 5510. And their IPS functionality doesn't require a service module. However, the IPS is still configured separately to the main firewall.

The only routing your edge firewall should be doing is between inside, outside and any DMZ interfaces. In order words, it shouldn't be performing inter-VLAN routing for the LAN. That's best done by your core switch. Personally, if I wanted to secure any LAN servers behind a firewall (i.e. for PCI-compliance) then I'd use a dedicated firewall pair for that task.

Slightly out of scope, but bear in mind that if you want to make your edge firewall redundant, then you'll need a pair of layer-3 edge switches or pair of edge routers (fitted with switchport cards) on the outside of the ASA HA pair. This is in order to provide a broadcast domain for HSRP to function on the outside.