cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1549
Views
0
Helpful
7
Replies
arrayservices
Beginner

Network design question...

Hello, I would really appreciate some design advice on a scenario I am working through. It is as follows:

I have a PCI segment I am building at a site of ours. In the diagram, you will see that I have a 3560G and a Sophos UTM 110/120 firewall. There are a couple server vlans (app and db) and one user vlan which will house all devices in this PCI zone.The 3560G will terminate connectivity for these users and servers. As part of PCI regulations, I must send traffic between the user and server vlans through the Sophos UTM appliance (not directly switched/routed via SVI's on the 3560). The Sophos appliance has LAN, WAN and DMZ ports.

I have been considering a router on a stick design, with a L2 trunk between 3560 and Sophos, with all L3 interfaces on the Sophos appliance, but the scalability of this design worries me (1gb link between 3560 and Sophos UTM). What are your thoughts on alternate ways to design (if any)? Please help ;-)

Thank you much in advance-

Brian

1 ACCEPTED SOLUTION

Accepted Solutions

In my case, I have two 7204 VXRs as the gateways with HSRP (I would use GLBP, but the guest vlan is NATed, so would cause some issues with sessions)... they both connect into the access switch (actually a 3750G stack with 4 switches).

The subinterfaces on the gig-e interfaces from the 7204VXRs are ONLY the "outside" VLANs.

So if you imagine this heirarchically:

<  OUTSIDE NETWORK >

    |

<  7204 VXRs >

    |

     (802.1q EXTERNAL vlans ONLY)

    |

< 3750 G >

    |

     (802.1q EXTERNAL vlans ONLY)

    |

    |

     (802.1q INTERNAL vlans ONLY)

    |

< 3750 G >

    | 

(end-hosts in their respective INTERNAL VLANs)

Basically the "internal" and "external" VLANs are the "same" vlan at layer 3, just that they are layer-2 separated by the firewalls, so the 7204 VXRs do the layer-3 routing.

Hope that make sense.

L

View solution in original post

7 REPLIES 7

I'm not really familiar with the UTM 110/120 devices.  (though I do have some Astaro ASG stuff hanging around).  However, in my office network I "sandwich" a couple of pfsense firewalls (in transparent/bridge mode) into the infrastructure.

On the access switch, for each "vlan" I actually create two vlans.

For example:  VLAN 5 = Admin, VLAN 10 = Finance, VLAN 20 = Guest

On the switch I create two vlans for each one:

Admin :  vlan 5 / vlan 50

Finance:  vlan 10 / vlan 100

Guest:  vlan 20 / vlan 200

I use the vlans 5/10/20 as the "outside" of the firewall, and "50/100/200" as inside.

The firewalls have one trunked interface (passing the 3 vlans) on the outside, and another trunked interface on the inside.

I DISABLE CDP on the "inside" and "outside" interfaces pointing towards the firewall(s).

Anything which needs to be protected by the firewall is in the vlans 50/100/200 as required.  Everything non-protected is in the outside vlans.

This is quite scalable since I can sandwich in as many firewalls as I like as long as they have a third management interface to synchronise their configurations and state-tables.

Not sure if this entirely answers the question, but hope it might give some ideas

Leland

Leland, that is very helpful, thank you for the feedback.

How do you handle layer 3 in this configuration, where would the L3 interfaces exist for both the inside and outside vlans?

In my case, I have two 7204 VXRs as the gateways with HSRP (I would use GLBP, but the guest vlan is NATed, so would cause some issues with sessions)... they both connect into the access switch (actually a 3750G stack with 4 switches).

The subinterfaces on the gig-e interfaces from the 7204VXRs are ONLY the "outside" VLANs.

So if you imagine this heirarchically:

<  OUTSIDE NETWORK >

    |

<  7204 VXRs >

    |

     (802.1q EXTERNAL vlans ONLY)

    |

< 3750 G >

    |

     (802.1q EXTERNAL vlans ONLY)

    |

    |

     (802.1q INTERNAL vlans ONLY)

    |

< 3750 G >

    | 

(end-hosts in their respective INTERNAL VLANs)

Basically the "internal" and "external" VLANs are the "same" vlan at layer 3, just that they are layer-2 separated by the firewalls, so the 7204 VXRs do the layer-3 routing.

Hope that make sense.

L

View solution in original post

to clarify, within the pfsense firewalls, the bridge interface for vlan 10 (outside) is "bridged" to the bridge interface for vlan 100 (inside), and so-on.   The firewall rules are applied in "transparent" mode across that bridged connection between the two physical vlans, so in reality they are the same vlan, just one outside the firewall and the other inside.

That does make sense. Thank you Leland!

I forgot to mention that I do, nevertheless, perform some intial filtering on the 7204 VXRs as well using outbound ACLs on the subinterfaces to the VLANs... but they are relatively generic, and it's the pfsense firewalls that perform the bulk of the security policy.  In this way I have two levels of packet filtering/inspection, one at the upstream boarder/gateway and one at the corporate LAN perimeter.

The other advantage of this is that ANY of the VLANs can have an implicit DMZ -- simply place the DMZ hosts in the "outside" VLAN -- but you need to make sure that your firewall in the middle has sufficient policy rules to prohibit back-flow from the DMZ to the internal protected side.

oh yes.. one other thing... security policy INTER-VLAN in the corporate office LANs is applied on both the pfsense firewalls AND the 7204 VXRs  (again, a double layer of security).  It's a little more complex than it looks on paper, but once you figure out the exact security policies you require, it's pretty straightforward.