06-28-2010 09:52 PM
Hi,
My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).
Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.
I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.
Thanks in advance.
- Jay
Solved! Go to Solution.
06-29-2010 02:31 AM
Hi,
My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).
Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.
I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.
Thanks in advance.
- Jay
Hi Jay,
Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.
The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.
So upto your choice how want to segregate the vlan traffic using firewall.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
06-29-2010 02:31 AM
Hi,
My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).
Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.
I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.
Thanks in advance.
- Jay
Hi Jay,
Best recoomended practice is used to have server behind the firewall, so that restricted access will be graneted via firewall on these servers,which can be achived via acl deployment on switches.But firewall will give addionalt feature for blocking with stateful inspection and stateful failovers.
The ASA supports firewalling/VPN/IPS/IDS/Content filtering so it is a fully featured security device and The FWSM is a module that goes into a 6500 chassis but it is important to note that it is only a firewall ie. it doesn't support IDS/IPS/VPN etc.
So upto your choice how want to segregate the vlan traffic using firewall.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
06-29-2010 03:45 AM
Thank you for your reply.
I know that putting the most critical servers behind a physical firewall is the best available option. But in many cases, like in mine, throughput problem erases this options from the list. Also, VPN/IDS/IPS options are not required in my scenario. So, I think FWSM is best suited for my situation. Anyways, I also found a very document on Cisco.com that explained a few ambiguous things. Thanks for your help.
- Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide