VLANs and Firewalls

[chenn]

Hi,
I'm trying to reorganize some vlan structure and create a standard firewall structure with dmz and internal zone while respecting the current vlan configuration. problem is the placement of the firewalls, as there seem to be heaps of possibilities. Does anyone out there know some best advice practises or online documents for these network structures (vlan + FW)?
Like should the FW be 802.1q aware? Is it recommended to have the FW reach into each vlan (transparent)?

thanks a lot in advance!
regards
chenn

 

[marks66]

For the highest level of security it is best for the firewall to have no direct connection to your LANS. The firewall is connected to the internet & a DMZ(standalone LAN). You then use a dual-homed proxy server(1 interface in LAN & 1 interfac in DMZ) for LAN to Internet access.
Do the same as the proxy, for VPN Servers,Citrix,WEB Servers etc.

###INTERNET###
|
|
##FW##
|
|
~~~~~~DMZ LAN~~~~~
|
##PROXY###
|
~~~~~~USER LANS~~~~



With this configuration you protect all your LANS from the Internet. Although it is a little restrictive, it will allow you to use a cheap firewall with only 2 interfaces etc. (Checkpoint licence their software based on the number of IP Addresses on the secure side, the jumpo form 100 users to the enterprise version is mucho $$$$$$)

If this is no good , use 1 interface on the firewall to host your DMZ services and the other for you LAN Access to the internet. (Just make sure your rules/policy on the Users LANS is very tight)

Cheers

Mark