Hi Jon,

This is the way I had it before.

The ISP hands off their fiber or copper cable and I would plug it into a standalone, usually unmanaged, layer2 "outside switch" from their I would connect my perimeter devices (firewall, hub routers, DMZ equipment, etc... ). So the traffic would go ISP>Outside Switch>Router/Firewall>Core

What I do now, is plug the ISP's hand off into my core on, for example, port g1/0/1, make it an access port for vlan333. Then I come out of g1/0/2 on vlan333 and connect it to my router/firewall.

Does that make more sense now?

Okay, makes sense now.

I have had this discussion before and some people have differing opinions but in a DC I would never let internet traffic hit the core switch before it goes to the firewall.

Your core switches in a DC are critical.

Firewalls are designed to filter traffic, protect againt DoS attacks etc,, your core switches aren't.

I would be okay with using a DMZ on the core switch as long as you had to get to it via the firewall first.

That said I know others who feel comfortable with what you are doing so it is just my opinion but I would feel very uncomfortable with that setup.

Pretty sure it would not pass any security audit either.

Jon

Thanks for the thoughts, I've heard the same concerns and definitely agree that it is not the recommended design or top notch security. I've heard same issue about the DoS attack flooding the port/switch and bringing it down. But I think for the most part, while definitely not impossible, it would be pretty difficult/involved for an attacker to leverage that L2 connection to the switch and somehow get into a management interface on the switch. The way I look at it, the external attacker is usually aiming for an IP address, and that IP address will still remain on the firewall/router. I guess it's always a balance and in some of my sites, the risk of an attacker putting a bullseye on us and the DoS bringing just that one branch office down (usually very minimal users) is worth the simplicity of connecting it that way. 

Any other type of blatant attack/vulnerability that comes to mind besides a DoS attack?

I agree with what you say, it is a question of balance and my remarks are primarily concerned with the DC.

This is the way I look at it.

How much does it cost the business if the DC goes down compared to the cost of an extra switch for the outside interface of your firewall.

And how would you explain that you thought it was a good idea to connect the internet directly to the core switch to save on a bit of space or for convenience.

I am not a security expert so I do not always keep up with the latest hacks, Cisco vulnerabilities etc. but the one thing I can say for sure is I would not gamble on it being unlikely to happen just because I can't see a way for it to be done.

None of this is intended as a go at you because I understand where you are coming from but I simply would not take the chance.

Jon

Definitely, I agree, and that's the reason I started the thread so that I could hear some other opinions. And after more thought I probably will change it soon. I'm planning to do a penetration test of my own to see what happens. But as far as any backlash, the Director of IT was OK with it so, he'll hear about it first....lol.

Thanks for the thoughts.

No problem.

I hope you've got that in writing from the Director of IT because from experience these sort of agreements can be forgotten when things go wrong :)

Jon