Bump in the wire solution on 6500 switch

[ATCal]

Hi,

My company is evaluating a "bump in the wire" security solution.
Our problem is with how to integrate it with our switch. The product needs to go in between (intercept the wire) the users and the servers. However, we have a mixture of users and servers on our 6509. Is there any way to segment the blades into almost different switches? We don't want to have to buy another switch to separate the users from the servers.
Thanks for your help.

Al

 

[Cluebird]

Have you looked at the FWSM (Firewall Services Module) for the 6509? That is purpose built for internal firewalling similar to what you want.

 

[jneiberger]

I agree with Cluebird. If you have a 6509 and need firewall functionality, you need to get an FWSM.

 

[ATCal]

Thanks for the replies.

Not a "traditional" firewall. A third-party identity based firewall, so it needs to fit "in the wire" between the users and the servers. For a single server, or a small subset of servers on a separate switch, not a problem.
I need to know if there is any way to segment (not VLANs) a modular switch into separate "switches" trunked with this appliance in between (it is true Gigabit throughput).

Thanks-

Al

 

[brianinms]

I am a tad confused by your requirements. What are you trying to accomplish? Are you trying to firewall users or authenticate users? With a chassis based switch you can use VRFs to segment the switch.

 

[jneiberger]

As a mentor of mine likes to ask, what problem are you trying to solve?

 

[ATCal]

The appliance firewalls user access to critical resources behind it based upon policy. The user has a client or token on his or her machine, that token is a digitial fingerprint of the user identity, and tags every packet from the machine. When one of those packets hits the appliance (destined for a resource behind it) the user token is compared against policy to determine whether or not the packet should be forwarded or discarded. The goal is to set physical access policy by user rather than IP address using access lists etc.
If you are protecting a single resource (e.g. ERP system) the appliance is placed in between the switchport and the server (transparent, non-addressable interface, true GB speed).My challenge is where I want to protect multiple servers, and the switch these servers are on also supports desktop connections. In the scenario, I have no way to firmly place the appliance between the desktops and servers, other than to buy one for each server connection which would be cost prohibitive.
I am not familiar with VRFs, and don't know if this is a viable solution. This appliance is not a "hop".

Thanks-

Al

 

[brianinms]

Okay, who makes this appliance firewall?

 

[ATCal]

AEP Networks IDPoint. This is a new product which we are evaluating.

Al

 

[brianinms]

Well if you are evaluating it I would recommend you contact your vendor and ask them how to impliment it into your infrastructure.

 

[Cluebird]

Seems like you're just adding a lot of complexity when you can get the same result with FWSM, AAA, VLANs and/or VRFs based on what you're saying. I'm a bit leery if the vendor can't help with the implementation and expects you to do the integration of their product with your network. That ends up with a lot of buck passing when both vendors say their stuff works but may not interoperate and "it's the other vendor's fault". Cisco ASA can be configured as a stealth firewall or a "bump in the wire" for firewalling within a network such as a server farm; however, I'm not sure you have hierarchy since you're adverse to VLANs?

 

[jneiberger]

I agree, guys. This sounds fraught with peril if the vendor isn't helping with the integration.

 

[ATCal]

Not averse to VLANs (we do have them), and I never said the vendor wasn't helping! They have been more than helpful, but their current supported topology is a separate switch for protected resources behind the appliance, or one resource behind the appliance. They are not Cisco guys.

MY QUESTION was based on a desire to be able to capitalize on our investment; i.e. see if there was a way to "segment" our 6509 into separate switches to get the appliance in between the user blades and the server blades of the same switch.

Again, I am not familiar with any potential Cisco solution that matches what they can do (identity based policy enforcement) but we are only evaluating at this point.

Thanks.

Al

 

[jneiberger]

If you have your users and servers connected to the same 6500, I don't know how you'd be able to do this with a third-party product that is external to the switch.

 

[ATCal]

Thanks. That was my gut feeling, but I was looking for corroboration to make sure I wasn't overlooking something.

Thanks again.

Al

 

[brianinms]

You can use VRF lite to segment your 6k into multiple "switches". However, if you don't have experience with it I would recommend that you bring in someone who has done it before.

 

[jneiberger]

I think I see how you'd do that. Put your users in one VRF. Run a cable out to the filtering device. Run another cable from that device back onto another VRF. Is that what you're thinking of?

 

[brianinms]

Bingo jneiberger!

 

[jneiberger]

I think that would work just fine, especially if the filtering device was truly transparent. The downside would be that all of their user-to-server traffic would go through that one device. Unless it is a very speedy device with gig links, it would be a bottleneck.

 

[ATCal]

Thanks guys. I'll take a look at that.

The device is fast, two GB paths in and out, with 10 GB coming next year.

Is VRF-lite a software or feature option to the switch? Is there additional expense for it?

Thanks-

Al