Firewall Placement

[DanielBowen]

At present I have a Cat5500 with integrated RSM connecting to the Internet. I then have three VLANs coming out of the Cat5500 8, 80 and 88. VLAN 8 is the DMZ with mail and

http://www servers.

Given this basic design, where would be the best position for a Firewall?

Thanks in advance

Daniel,

 

[DTrix]

Your description is rather vague, but I will give it a shot. The firewall should physically sit in between your border router and your network. Kinda like this:

(WAN CLOUD)---(Border Router)---(FW)---(LAN)
|
|
(DMZ)

This design forces all traffic to be subjected to security policies installed on the firewall.

Your implementation sounds interesting. You may want to try something like this:
Internal
Addressing
|
(WAN CLOUD)---(Border Router)---(FW)---(LAN-VLANX)
| |
External |
Addressing (DMZ-VLAN8)

Thing is, because a firewall works on layer-3, each interface has to be on a seperate subnet. Therefore, each segment attached to the router needs to be on seperate subnets.

Hope this helps.

-D

 

[DanielBowen]

Would this work?

(Internet)----(Border Router)----(FW)----(LAN)
/
(DMZ)

Daniel,

 

[Guest_imported]

Daniel,

It's strongly recommended to put your DMZ on a unique interface of your Firewall.

The standard setup will be one interface for the Internet, One interface for the Private network (Internal) and one interface for the DMZ.

As for your catalyst5500. You mentionned 3 VLANs, I recommend 3 different Switch indepently connected from each other. Why ? Well a switch visible from the Internet could be attacked and reconfigure to bypass the firewall and jump right in the internal.

For the most secure configuration, only run a reverse cable between your ISP router and the Firewall. This way a DOS can't be done on a switch in front of the FW. Your only point of failure before your enforcement point will be your ISP's router of which you do not have responsability.

You can always put a cheap HUB between the ISP's router and the FW for management and testing purposes, but this is about it.

 

[mavenccie]

Internal
Addressing
|
(WAN CLOUD)---(Border Router)---(FW)---(LAN-VLAN80 and 88)
| |
External |
Addressing |
and NAT |
(DMZ-VLAN8)

If you still wanted to use your 5500 for DMZ connectivity, it can be accomplished by the following:
1)Put your DMZ Servers and the DMZ interface of the Firewall in VLAN 8
2)Type into the RSM, no interface VLAN8 or no shut int vlan8.
(This will disable routing of the VLAN8 on the RSM, thus only using the 5500 for Layer 2 connectivity and won't have Layer 3 connectivity to your internal LAN through the RSM, but rather through the Firewall) Do you catch my drift?
3)Now have your servers point to the firewall as their gateway.
Sidenote-Don't use a trunk port(especially 802.1q) to the firewall or to any ports important for layer2/3 separation in your security model. This is because there are some flaws in how certain switches handle VLAN tags that could allow a device in one VLAN to send a packet to another VLAN by adding the appropriate VLAN tag. The 6000 series is immune to this problem, but not sure about the 5000.