10-07-2021 06:58 AM
Good day all,
I have been tasked with providing a recommendation for securing a specific server on our network. Our network is Cisco Centric, hence being here. As it stand I have a 3560CX switch connected to the server. From that switch it goes to a 4500x then to another 4500x and finally out our firewall (sadly palo alto).
I am required to provide a recommendation to prevent any other device from getting to snoop unencrypted traffic from this server. So I need to have some sort of tunnel/acl/ combination of them to prevent anybody from tampering with this server. The server itself builds a VPN outbound to a server in a different country.
I have looked at VRF-Lite as well as GRE, however with the Palo Alto in the mix and it not supporting VRF I am not overly sure what to do. Do I stop the VRF at the last 4500 and then GRE it to the Palo Alto? I do not have any routers available only the layer 3 switches I mentioned.
If I find a solution, I believe they will want to implement it with numerous other IP ranges to prevent snooping from one range to another.
Any help would be greatly appreciated.
Server – 3560 – 4500 – 4500 – Palo Alto --- Internet
Solved! Go to Solution.
10-07-2021 07:13 AM
Hi there,
The palo alto does support VRFs, they are called Virtual Routers in palo parlance.
You could tag your server VLAN all the way towards the palo and to an layer3 interface in the new VR. You would then need to leak routes between this new VR and the default VR which has your internet connectivity. This can be done with with either BGP or static routes. Finally create a security policy between the security zones involved to allow inter-zone traffic.
You could achieve the same level of security just by using security polices, the extra VR doesn't really gain you anything.
Regarding snooping of unencrypted traffic, the bad actor would need to be on the same layer2 subnet to observe any broadcasts, and to snoop anything else it would need to spoof the servers address. If you tightly control your infrastructure this should be easy to control. Beyond that, you are talking about rogue wire taps, and if you encounter those you have some big problems!
cheers,
Seb.
10-07-2021 07:13 AM
Hi there,
The palo alto does support VRFs, they are called Virtual Routers in palo parlance.
You could tag your server VLAN all the way towards the palo and to an layer3 interface in the new VR. You would then need to leak routes between this new VR and the default VR which has your internet connectivity. This can be done with with either BGP or static routes. Finally create a security policy between the security zones involved to allow inter-zone traffic.
You could achieve the same level of security just by using security polices, the extra VR doesn't really gain you anything.
Regarding snooping of unencrypted traffic, the bad actor would need to be on the same layer2 subnet to observe any broadcasts, and to snoop anything else it would need to spoof the servers address. If you tightly control your infrastructure this should be easy to control. Beyond that, you are talking about rogue wire taps, and if you encounter those you have some big problems!
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide