cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1292
Views
15
Helpful
5
Replies

DMZ Network Design

adamgibs7
Level 6
Level 6

Dears 

I am setting up a DMZ network and we have purchased a WSA, I would like to understand from design perspective is it OK to connect P1 port of WSA on the internal core switch but logically traffic will pass through internal firewall, and P2 port will be connected on the External Firewall DMZ zone is that a good way of connecting 

OR

I shld connect both P1 and P2 both on the external firewall by DMZ-1 and DMZ-2.

Scenario1 Traffic flow

User initiated a google.com. traffic will hit to Internal Firewall as an Default gateway and then firewall will route the traffic to proxy P1 port ( explicit proxy configured) becz P1 port Default gateway is internal firewall connected via a core switch,  Proxy does web filtering and then sends the traffic out from  P2 port to the external firewall and then external firewall routes to the internet.

Scenario2 Traffic flow

User initiated a google.com. traffic will hit to Internal Firewall as an Default gateway and then firewall will route the traffic to proxy P1 port through External Firewall Internal interface and then External firewall will route to DMZ 1 to the proxy interface, Proxy does web filtering and then sends the traffic out from  P2 port again to the external firewall DMZ-2 and then external firewall routes to the internet.

Also i don't have external switches (facing to ISP Internet router)  on which i can connect internet link so  in that case if i use my DMZ switches by segregation of Vlan will be a good security or it is preferred to have a isolated external switches.

Thanks 

2 Accepted Solutions

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @adamgibs7,

I would proceed with scenario #1. Given that this kind of traffic is outbound traffic, I see no added benefit of passing this traffic via multiple firewalls. Once FW which is in front of P2 interface is enough from my standpoint. In your case, given that internal FW is default GW for user segment, it looks to me inevitable to go via internal and then external FW, but I would stop there. By sending traffic via internal and then 2x external, looks unnecessary to me.

Kind regards,

Milos

View solution in original post

amojarra
Cisco Employee
Cisco Employee

I also agree with Milos 

there won't be any need for another Firewall between WSA and Clients,  

P1 port Default gateway is internal firewall connected via a core switch ....

so, in this case you will have: Client > Core-Switch > Internal Firewall > Core-Switch > WSA  > External Firewall > ISP  

and for Scenario 2, (please correct me if I'm wrong) : Client > Core-Switch > Internal Firewall > External Firewall> WSA  > External Firewall> ISP  

 

kindly note that most of your traffic will be HTTPS, so then WSA can decrypt and re-encrypt them so the Firewalls won't have that much visibility to your HTTPS traffic.

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

View solution in original post

5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @adamgibs7,

I would proceed with scenario #1. Given that this kind of traffic is outbound traffic, I see no added benefit of passing this traffic via multiple firewalls. Once FW which is in front of P2 interface is enough from my standpoint. In your case, given that internal FW is default GW for user segment, it looks to me inevitable to go via internal and then external FW, but I would stop there. By sending traffic via internal and then 2x external, looks unnecessary to me.

Kind regards,

Milos

amojarra
Cisco Employee
Cisco Employee

I also agree with Milos 

there won't be any need for another Firewall between WSA and Clients,  

P1 port Default gateway is internal firewall connected via a core switch ....

so, in this case you will have: Client > Core-Switch > Internal Firewall > Core-Switch > WSA  > External Firewall > ISP  

and for Scenario 2, (please correct me if I'm wrong) : Client > Core-Switch > Internal Firewall > External Firewall> WSA  > External Firewall> ISP  

 

kindly note that most of your traffic will be HTTPS, so then WSA can decrypt and re-encrypt them so the Firewalls won't have that much visibility to your HTTPS traffic.

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Dears thanks 

The servers which are on DMZ  and needs to go to the internet for them to  send a traffic to explicit proxy IP address which  is P1 port ip address it has to route the traffic from

external firewall--- Internal firewall--WSA P1 port ----WSA-P2 port ---Internet ,

which takes a huge round and coming back to proxy instead of doing this if i connect P3 port from proxy to the external firewall and that will be a explicit proxy ip address for the DMZ server, would it make sense ?? 

Please reply awaiting experts advise.

thanks

Hi @adamgibs7,

There is no P3 port on WSA. Please see this guide, and you'll get a feeling about ports. What may appear to you as P3 could actually be T1, which is not the same as P1.

I personally don't see any huge jumping (just imagine through how many different points your traffic is going via Internet), and this is quite a standard setup. You can't have WSA port sitting in each zone, as it simply doesn't make sense. However, if you are still concerned about it, you can always bring up another WSAv in different zone, and use that one for specific traffic.

Kind regards,

Milos

amojarra
Cisco Employee
Cisco Employee

Hello @adamgibs7 

As Milos Mentioned, we dont have P3 ( M1 : Management , P1 & P2 : Data Port , T1 & T2: Tap interface which are not used for proxying data) 

 

As you for sure know, Design is not like one-size fits all, and there are couple of items which are critical for decision making.

it is best to identify the path between client and internet, then you can proceed to where to put your WSA.

Also if you are planning to use transparent proxy , or IP spoofing, it is best to use both P1 and P2.

regarding the Path you mentioned I can see the External Firewall in between Clients and Internal Firewall : 

external firewall--- Internal firewall--WSA P1 port ----WSA-P2 port ---Internet 

 

Maybe it is like this : 

Client --> internal Firewall --> External Firewall --> internet 

if above path is correct, you can put WSA behind each of the Firewalls, depends on your Network design, 

[1] Client --> WSA -->  internal Firewall --> External Firewall --> internet

[2] Client --> internal Firewall -->WSA --> External Firewall --> internet

it is better to not let WSA public internet facing, in this case you can filter some unwanted traffics (like floods ... ) with your firewall.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: