Zone Based Firewall or Private VLAN?

leonardomachado · ‎02-17-2013

Hi,

I would like to ask here for your opinion about a security solution that we intent to implement in our environment.

In our network we have a core office and 40 remote branches.

Each branch has the following network configuration (simplified here for clarity purpose):

http://oi50.tinypic.com/2im00uh.jpg

We would like to create a security solution to avoid each VLAN accessing other VLANs. In some situations we need the communication between VLANs but this communication must be controlled allowing only specific ports and protocols.

We thought about 2 ways to solve this problem:

1 - PVLAN

2 - ZFW

ZFW: We would configure each subinterface of the router in a separate Zone to restrict traffic flow between subinterfaces.

Wich one would you recommend? Is there a better solution for it?

ZFW seems to fit another scenery were we have OUTSIDE, INSIDE and DMZ. I am not sure if ZFW would be the best solution for intra-network control.

Thank you.

Leo.

Jouni Forss · ‎02-17-2013

Hi,

What devices do the branch and core offices have at the moment? Are you planning on implementing the same model/same device for each of the branch office?

Are you going to configure a setup where each branch is also connected to the core office via VPN?

On average, how many devices are there in the branch offices?

Personally I would find the easiest choice would be to use a Cisco firewall if your main concern is to control traffic between the different Vlans of each branch office and also provide VPN connectivity. Though I have to admit my opinion is biased because I mainly use Cisco ASA firewalls in setups and we dont use Routers to handle firewall functionality even if they had the possibility.

I have always found the Cisco router configuration format a bit clunky, but again this is something that is probably due to the fact that I only use Cisco ASA (also PIX and FWSM) firewalls in my work. I do have plans to get some expirience with the Cisco router firewall side but just seems there is not enough time

If you were to go with the Cisco ASA then your firewall model would probably be ASA5505 (depending on throughput requirements).

Its the first/smallest model of the Cisco ASA
It has 8 FastEthernet ports (of which 2 are PoE)
Base License is for 10 users (50 and Unlimited are the other options)
Base License supports 3 Vlans
- No Trunking
- One Vlan is limited to DMZ operation
  - Cant initiate connections to one of the other 2 Vlans (usually "inside")
  - Connections can be initiated to the said Vlan from each of the 2 Vlans
Security Plus Licens supports 20 Vlans + Trunking
L2L VPN, Client VPN, Clientless VPN

It would also seem to me that if you would go with some Cisco router series you would have to pay a lot more than for example an ASA5505 with Security Plus License. Naturally with the Cisco ASA you will need a separate device to provide a xDSL connection. Unless you are provided that with the connection or the connection is provided to you Ethernet connectivity.

Heres a link to some information about the ASA5505 (5510 also)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

Heres a link to datasheet of all of the ASA models

ASA 5500 Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

Please let me know if you need some more specific information and I'll try to answer if I can.

Hopefully the above information has been helpful

EDIT: I understand that this might not help you at all if you're not looking to change any devices at the remote offices but rather using some existing feature on those networks.

- Jouni

leonardomachado · ‎02-18-2013

Thanks for answering.

I was searching for someone who had already this kind experience configuring different VLANs subinterfaces into separeted zones.