cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1092
Views
1
Helpful
2
Replies

Server Farm Firewalling

jay.kishan
Level 1
Level 1

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

1 Accepted Solution

Accepted Solutions

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

Hi Jay,

Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.

The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.

So upto your choice how want to segregate the vlan traffic using firewall.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

2 Replies 2

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).

Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.

I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.

Thanks in advance.

- Jay

Hi Jay,

Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.

The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.

So upto your choice how want to segregate the vlan traffic using firewall.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Thank you for your reply.

I know that putting the most critical servers behind a physical firewall is the best available option. But in many cases, like in mine, throughput problem erases this options from the list. Also, VPN/IDS/IPS options are not required in my scenario. So, I think FWSM is best suited for my situation. Anyways, I also found a very document on Cisco.com that explained a few ambiguous things. Thanks for your help.

- Jay

Review Cisco Networking for a $25 gift card