04-22-2010 02:03 PM - edited 03-06-2019 10:45 AM
Hi,
I've just been tasked with getting a solution together for securing our internal connectivity. Basically I have an internet link and what I need to do is install two firewalls there from different vendors, so one will be an asa and the other will be another company let's say for argument sake it's checkpoint. I have a few questions surrounding this.
Internet
|
external switch2
|
Checkpoint
|
external switch1
|
asa
|
Inside/dmz's
1. Will one firewall sit in front of another. i.e. the asa is on the inner side and will have a default route to the checkpoint firewall, or am I wrong?
2. Will I have to have different external switches connected to each respective firewall? is this more secure?
3. Will both firewalls have to have external ip's?
4. Where will I be natting in order for internal/dmz traffic to go out to the internet, the asa or the checkpoint?
5. Where should I be terminating VPN's from the asa or the checkpoint?
5. How have other people done this kind of work?
Thanks in advance for any help
Dan
04-22-2010 02:23 PM
dan_track wrote:
Internet
|
external switch2
|
Checkpoint
|
external switch1
|
asa
|
Inside/dmz's
1. Will one firewall sit in front of another. i.e. the asa is on the inner side and will have a default route to the checkpoint firewall, or am I wrong?
2. Will I have to have different external switches connected to each respective firewall? is this more secure?
3. Will both firewalls have to have external ip's?
4. Where will I be natting in order for internal/dmz traffic to go out to the internet, the asa or the checkpoint?
5. Where should I be terminating VPN's from the asa or the checkpoint?
5. How have other people done this kind of work?
1) Yes and yes, the default route on the asa would point to the checkpoint
2) no you don't have to but yes it is more secure.
3) no, only the checkpoint
4) checkpoint
5) checkpoint
6) You can do it a number of ways.
One approach is to have each 2 vlans per DMZ in effect. A server in this DMZ would be connected to both DMZs. The checkpoint would connect to the outside vlan for this DMZ and the asa would connect to the inside vlans. The vlans would have different IP subnets. So from the internet a server is connected to on it's external interface via the checkpoint and from inside it is connected to on it's interface interface via the ASA. If you do this sort of setup then it is important each server does not route traffic.
Alternatively you can have some DMZs only connected to the checkpoint and some only connected to the asa but then you need a "transit" vlan that connects both the ASA and the checkpoint.
The topology you design depends on the services you are hosting. A good site to start with is www.sans.org where they have designs for these sort of things.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide