cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
1
Helpful
12
Replies

DMZ switches best practice

iores
Level 1
Level 1

Hi,

I have one switch in each DMZ zone. Each DMZ VLAN has the default gateway on the firewall.

I am wondering what is considered the best practice:

  • Connecting DMZ switches directly to the firewall

Or

  • Connecting DMZ switches via the core switch (L2 only) to the firewall?

 

12 Replies 12

@iores 

 How many switches? I would say connect direct to the firewall would be a best practice from security perspective but will the firewall have enough interfaces ?

 

@Flavio Miranda 5 switches. Could you, please, explain why connecting them directly to firewall is a better option.

Control. The traffic will not be handled to an intermediate device. Less risk of down time. Lower latency. Less overhead.

 

@Flavio Miranda Securitywise, it is the same or not? 

@iores 

Less exposure. The traffic stay closer to the firewall.

Of course , If you use the core in between, It Will not be a risk or a terrible mistake, but there are a few reason to prefer connect the DMZ switch to firewall If possible

@Flavio Miranda Is there any Cisco literature (books, documents...) where I can found design recommendations on this topic?

Here in the community there are a lot of discussion related to this Topic.

Here one example. If you explore, you can find lot more.

https://community.cisco.com/t5/network-security/recommended-best-practices-for-dmz-layout/td-p/944528 

Sure Option 1

DMZ use for server access from OUTside' if there is DDoS attack that utilize link' then it better that only server is effect not internal user

MHM

@MHM Cisco World But in case of DDoS from the outside, the access to DMZ network is controlled via the firewall in both cases. What am I missing?

In case' FW not detect ddos or any attack' it more secure to separate server from internal hosts.

For doc. I will send you doc. As PM tonight.

MHM

My perspective on this question is that DMZ is intended to provide connectivity for some devices but which keeps those devices isolated from the inside/Private network. That perspective leads me to believe that connecting the DMZ vlan to firewall is better than connecting to core switch. The firewall would provide more effective isolation.

I am also basing my suggestion on this from the OP " Each DMZ VLAN has the default gateway on the firewall". If the DMZ vlan gateway is firewall why would you want to connect to the core switch.

HTH

Rick

Joseph W. Doherty
Hall of Fame
Hall of Fame

As others have already recommended, directly connected to FW would be considered more secure.  This mainly for two reasons.  First, when sharing a transit device, "accidentally" misconfiguration isn't as likely to join DMZ traffic with other traffic.  Second, sharing a device provides a physical joining which might be breached by a security flaw in logical divisions.

In practice, the latter risk is usually low.  Misconfigurations, though, are a constant risk, but even FWs can be misconfigured and/or have a security flaw.

Usually, those tasked with security, such as configuration of FWs, and vendors of FWs focus on their correct operation for security, probably, again makes the direct FW approach less likely to permit a security breach.

BTW, I'm not saying using a core switch for transit is necessarily much less secure, just, in theory, it just makes a security breach a tiny bit more likely.  How much of a concern that difference should cause also depends on the value of what you're protecting.

Review Cisco Networking for a $25 gift card