cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1238
Views
0
Helpful
3
Replies

Network Topology/Security Question

Justin Westover
Level 1
Level 1

I have uploaded a topology diagram of what I am trying to do. Basically I have a DMZ ASA and another ASA on the inside of our network. The ASA on the inside connected beneth the 4507 is the firewall for our datacenter. The datacenter ASA then connects to the 4948 switch. What I am proposing to do is also use that same 4958 switch with different VLANs and trunk it to the DMZ ASA (obviously this means I would use sub-interfaces on the ASA).

So the ASA sub-interfaces would be the default gateway for workstations/servers in the DMZ.

I just want to make sure that this design doesn't cause some sort of security flaw. I would also use VLAN prunning allowing only the DMZ VLANs into the trunk going into the DMZ and allowing only the VLANs going into the datacenter ASA trunk. Just wondering if this might cause some problems, security wise or is this pretty safe?

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Justin

Your diagram shows 3 firewalls, are these separate firewalls ?

It's difficult to comment without knowing exactly what access is needed from where. You say the DMZs have both workstations and servers in them ?

Also the other data centre vlans ie. the non vlanned ones, are they routed off -

1) the 4848

2) the data centre ASA

3) the 4507 and the DC ASA is in transparent mode

By the sounds of it the DMZ devices don't need to talk to the non firewalled DC vlans ? if they do what is the traffic flow path ie. are you going to have a transit vlan between whatever you are routing the DC vlans off and a subinterface on the dmz ASA ?

If the DMZ vlans do not need to communicate with the rest of the DC for the sake of a DC my initial reaction would simply to be to purchase a L2 switch as you are routing the DMZ's off the ASA anyway so no need for L3. This would remove -

1) the danger of any misconfiguration on the 4948 switch

2) it would also isolate any security issues ie. a DOS for example would not affect the 4948 switch which could be critical if you have important non-firewalled servers connected.

However if the firewalled vlans do need to communicate with the non-firewalled vlans then perhaps you could provide some more detail eg. traffic path as mentioned above.

Jon

The Main Corp ASA is our main corporate firewall. This is the firewall that handles VPN terminations and handles all Natting.

As for the Datacenter Vlans, those would be sub-interfaces on the Datacenter ASA. The 4948 would have a trunk between itself and the DC ASA and obviously the 4948 would have the VLANs in its Vlan DB.

The same thing would happen on the DMZ asa, the dmz asa would have sub-interfaces and that same 4948 that has a trunk going to the DC asa would have another trunk going to the DMZ asa. Both trunks (e.g. trunk to DC asa and trunk to DMZ asa) would have vlan prunning enabled.

All servers would use the ASA sub-interface ip address for its default-gateway. So whether a server is in the datacenter network or on the Dmz, they use the sub-interface ip address from either the DC asa or the DMZ asa for their gateway.

Yes I agree about the DoS attack, there are obviously some cons to setting it up this way but our network is quite small so we can't really consitute another 10-15K worth of switches just for DMZ access. Plus I believe the 4948 has some security features on it to help protect aganist DoS attacks, do you know of those?

Anyway, what do you think? Any concerns you see other than the DoS?

If everything is being routed off the ASAs then it less of a problem as far as i can see.

By the way, don't use pruning because the ASAs won't understand it and participate in it. Simply use the "switchport trunk allowed " on the trunk port configurations on the 4948 and you should be fine.

Your ASAs can provide some protection from DOS with allowed number of connections as can the application itself sometimes. Your only real concern is if a server is incorrectly assigned into the wrong vlan on the 4948 switch. Even then it would be very difficult to exploit this from the internet ie. you would need to compromise another device on the same vlan to then be able to connect to this server.

Standard security features on the 4948 should be used ie. -

1) don't use vlan 1

2) use an unused vlan eg. vlan 999 as the native vlan and do not create any subinterfaces for this vlan on the ASAs as you do not need to route the native vlan

3) create another unused vlan eg. vlan 998 and allocate all unused ports into this vlan. Again do not create any subinterfaces for this vlan on the ASAs.

4) Use TACACS+ if possible to login to the 4948 and also limit the source IPs that can login in to that device

5) if you have a management vlan for switches then make sure it is -

a) not vlan 1

b) not any of the vlans mentioned aboved and also not any of the vlans used for end devices.

Jon