Multi-tiered Firewall (for Web,App,DB) - DMZ switch should be L2 or L3?

steven.pw.lau · ‎12-01-2010

Hi,

If I've a multi-tiered Firewall design with 3 firewall tierings for web servers, middle-tier apps servers and also database servers as the diagram below..

FW-A

|

Switch-----Web Server

|

FW-B

|

Switch-----App Server

|

FW-C

|

Switch-----DB Server

|

------------- LAN

Should the switches be a Layer 2 or a Layer 3 switch?

The web server would need to have two connections out (one for replying to responses from clients on the Internet and the other connection is towards the App server.

Hence, if a L2 switch is used, then web server's default gw would need to point to FW-A and FW-A will also need to have another route to the App Server subnet.
However, to establish a connection towards the App Server, the web server will need to go through the switch->FW-A->switch->FW-B->switch->App server.

Would the firewall be dropping the connection since it will see the source IP address (web server) going in and out of the same interface?

Would a Layer 3 switch be a more suitable recommendation since we can then define the route to the App Server subnet on that switch itself instead of using FW-A. This will secure FW-A to only able to access the Web Server tiered segment instead of having routes to the 2nd tier segment..

Kindly advise on the more practical approach..

Thanks..

Jon Marshall · ‎12-01-2010

Personally in these sort of architectures that i have seen it should always be a L2 switch.

You simply don't want routing in your DMZs because of the possibility of routing around firewalls due to configuration errors. It does help significantly with the routing if you can summarise your internal networks with a single routing entry.

Hence, if a L2 switch is used, then web server's default gw would need to point to FW-A and FW-A will also need to have another route to the App Server subnet.
However, to establish a connection towards the App Server, the web server will need to go through the switch->FW-A->switch->FW-B->switch->App server.

Not sure i agree with this logic. The web server has 2 connections - one NIC to a dmz connected to FW-A and one to a dmz connected to FW-B. If the web server needs to send packets to the apps servers then it simply goes directly to FW-B because it has a NIC on that dmz. It only goes to FW-A to send traffic back out to the internet.

Jon

steven.pw.lau · ‎12-01-2010

How about those servers which is single-homed with one single NIC (one GigE port)?

One way of doing this is to manually configure the routing in the server itself but this would not be practical if there are many servers..

Thanks..

Jon Marshall · ‎12-02-2010

steven.pw.lau wrote:

How about those servers which is single-homed with one single NIC (one GigE port)?

One way of doing this is to manually configure the routing in the server itself but this would not be practical if there are many servers..

Thanks..

But that's the point. You don't design something like this and then have single honed servers. If you find you have single honed servers then the design is not fit for purpose.

As for routing, it is should be a one-off thing when you deploy the servers, not a continual ongoing maintenance. Again, if you think this is not practical then you don't have a design fit for purpose.

If you want to deploy L3 switches then you can. I was simply saying that in all designs i have seen dmz's are always routed off the firewall interaces and not by a L3 switch for very good reason. The temptation somewhere down the line would be to add another dmz to one of the switches. Now you have to use standard access-lists to make sure one dmz cannot route to another without going to the firewall.

Jon

steven.pw.lau · ‎12-03-2010

Thanks Jon. I agree with you on that.

Having said that, if I've a web server with a public NIC to pointing to the tier-1 firewall and the private NIC pointing to the tier-2 firewall to access the apps server subnet, I will not be able to configure two different default gateways on the servers without hitting problems.

In this case, do you normally see that the tier-2 firewall operating in transparent mode (such that the apps server subnet will be the same as the web's private NIC's subnet) so that the web server's private NIC does not require a default gateway?

Or are there any other way of doing this?

Jon Marshall · ‎12-03-2010

steven.pw.lau wrote:
Thanks Jon. I agree with you on that.
Having said that, if I've a web server with a public NIC to pointing to the tier-1 firewall and the private NIC pointing to the tier-2 firewall to access the apps server subnet, I will not be able to configure two different default gateways on the servers without hitting problems.
In this case, do you normally see that the tier-2 firewall operating in transparent mode (such that the apps server subnet will be the same as the web's private NIC's subnet) so that the web server's private NIC does not require a default gateway?
Or are there any other way of doing this?

Steven

You could use transparent but the primary way of doing it is the way we have already discussed and that is to statically add a route for the apps server subnet to the web servers. You can't as you say use 2 default-routes and as the web server is internet facing you have to use the default-route for internet traffic.

A L2 transparent firewall is another alternative as you say. The only other way to do it is to "bounce" the traffic from the web server to the apps server via FW-A.

Jon

steven.pw.lau · ‎12-04-2010

Bouncing off FW-A probably would require me to use the ASA command of same-security interface permit intra-interface for an ASA firewall.

Another way I can think of is to do a NAT on the apps server on FW-B so that request from webserver will be NAT'ed and would not require routing.

Have you seen cases where all three firewalls also perform NAT?

Thanks,

Jon Marshall · ‎12-04-2010

Steven

Another way I can think of is to do a NAT on the apps server on FW-B so that request from webserver will be NAT'ed and would not require routing.

Do you mean NAT the apps server so that it appears to be on the same subnet as the web server NIC connected to FW-B ?

If so yes this could work but it is introducing complexity to avoid having to add a route to the web server. I understand that adding routes to servers is often frowned upon but the route should only be one route ie. how to get to the apps servers and in this particular design it is the one i have seen used most often. It is not a maintenance issue unless you are continally changing the apps servers IP subnet which i seriously doubt although admittedly it does require communication between the network people and the server people.

Generally speaking NAT should only really be used in this setup to translate an address from one to another if needed. There is no need to NAT the apps servers because they are not contactable from the internet so they can simply use their private IP. Only the web servers need to have a NAT setup.

Having said that if you had the IPs available in the web server subnet then it is a possible solution if you are that reluctant to add a route to your web servers. It would certainly be preferable to bouncing traffic off FW-A which is my least favoured option as it just doesn't really follow the traffic flow of the design if you see what i mean.

Jon