Re: DMZ switches best practice

iores · ‎11-30-2024

Hi,

I have one switch in each DMZ zone. Each DMZ VLAN has the default gateway on the firewall.

I am wondering what is considered the best practice:

Connecting DMZ switches directly to the firewall

Or

Connecting DMZ switches via the core switch (L2 only) to the firewall?

Flavio Miranda · ‎11-30-2024

@iores

How many switches? I would say connect direct to the firewall would be a best practice from security perspective but will the firewall have enough interfaces ?

iores · ‎12-01-2024

@Flavio Miranda 5 switches. Could you, please, explain why connecting them directly to firewall is a better option.

Flavio Miranda · ‎12-01-2024

Control. The traffic will not be handled to an intermediate device. Less risk of down time. Lower latency. Less overhead.

iores · ‎12-01-2024

@Flavio Miranda Securitywise, it is the same or not?

Flavio Miranda · ‎12-01-2024

@iores

Less exposure. The traffic stay closer to the firewall.

Of course , If you use the core in between, It Will not be a risk or a terrible mistake, but there are a few reason to prefer connect the DMZ switch to firewall If possible

iores · ‎12-01-2024

@Flavio Miranda Is there any Cisco literature (books, documents...) where I can found design recommendations on this topic?

Flavio Miranda · ‎12-01-2024

Here in the community there are a lot of discussion related to this Topic.

Here one example. If you explore, you can find lot more.

https://community.cisco.com/t5/network-security/recommended-best-practices-for-dmz-layout/td-p/944528

MHM Cisco World · ‎12-01-2024

Sure Option 1

DMZ use for server access from OUTside' if there is DDoS attack that utilize link' then it better that only server is effect not internal user

MHM

iores · ‎12-01-2024

@MHM Cisco World But in case of DDoS from the outside, the access to DMZ network is controlled via the firewall in both cases. What am I missing?

MHM Cisco World · ‎12-01-2024

In case' FW not detect ddos or any attack' it more secure to separate server from internal hosts.

For doc. I will send you doc. As PM tonight.

MHM

Richard Burts · ‎12-01-2024

My perspective on this question is that DMZ is intended to provide connectivity for some devices but which keeps those devices isolated from the inside/Private network. That perspective leads me to believe that connecting the DMZ vlan to firewall is better than connecting to core switch. The firewall would provide more effective isolation.

I am also basing my suggestion on this from the OP " Each DMZ VLAN has the default gateway on the firewall". If the DMZ vlan gateway is firewall why would you want to connect to the core switch.

HTH

Rick

Joseph W. Doherty · ‎12-01-2024

As others have already recommended, directly connected to FW would be considered more secure. This mainly for two reasons. First, when sharing a transit device, "accidentally" misconfiguration isn't as likely to join DMZ traffic with other traffic. Second, sharing a device provides a physical joining which might be breached by a security flaw in logical divisions.

In practice, the latter risk is usually low. Misconfigurations, though, are a constant risk, but even FWs can be misconfigured and/or have a security flaw.

Usually, those tasked with security, such as configuration of FWs, and vendors of FWs focus on their correct operation for security, probably, again makes the direct FW approach less likely to permit a security breach.

BTW, I'm not saying using a core switch for transit is necessarily much less secure, just, in theory, it just makes a security breach a tiny bit more likely. How much of a concern that difference should cause also depends on the value of what you're protecting.