cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

180
Views
0
Helpful
6
Replies
Highlighted
Contributor

Put firewall at wireless network.

Hi We have diagram like one I attached. The users need to go to internet from their PC, AP and switch etc. But we would like the first hop of user traffic is at firewall. That also means when tracert 8.8.8.8 on PC, the first one is at the firewall. Anyone can give some suggestion where we need to put the firewall? Thank you

 

6 REPLIES 6
VIP Advisor

Re: Put firewall at wireless network.

Firewall Generally deployed at the edge :

 

1. for securing the entire network should be perimeter that is after ASR and 7K between(thinking that after ASR it is the Internet or MPLS Cloud)

2. why you like to deploy FW at the next level, where are your WLC and other networks?

3. or is this Wireless external ? or for internal users?

BB
*** Rate All Helpful Responses ***
Contributor

Re: Put firewall at wireless network.

Thank you so much for your reply. I did not make it clear.

 

2. why you like to deploy FW at the next level, where are your WLC and other networks?

    the two WLCs are connected to the two N7K

3. or is this Wireless external ? or for internal users?

    The APs and users are internal and are behind the Switches. If the first hop of the internal user traffic is at firewall, it can prevent some insecurity issue from inside

VIP Advisor

Re: Put firewall at wireless network.

Do you also have perimeter FW ?

 

internal users always should be trusted, not sure how your authentication for the users for wireless?

 

BB
*** Rate All Helpful Responses ***
Contributor

Re: Put firewall at wireless network.

That is because the company has guest and inside wireless vlan with the same AP . Its vlan traffic needs to go through the firewall first. so the first hop is at the firewall. The network has firewall located at between ASR and N7K. Not sure the relation of these vlans connections among N7K, firewall and switch3750 from wireless perspective.

VIP Advisor

Re: Put firewall at wireless network.

You need to segment the traffic for the Guest users, which is not required to access internal resources (until any resource required)

 

Corporate SSID can access internal resource.

 

Either case i would suggest to have different segment FW, ASA support context-based FW, so you can do both ways to protect external and internal.

 

BB
*** Rate All Helpful Responses ***
Contributor

Re: Put firewall at wireless network.

Thank you very much. you are right.

Just one question: we assume no firewall in all network. if user PC try to access internet in that network, the first hop should be at the gateway, which is defined at controller guest interface, or the guest vlan interface ip address? 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards