Let me start saying that im pretty newbie still considering networking. I have studied CCNA and CCNP in my school and am now working on my final work which is to design a basic network model that can be applied into small to medium sized companies.
The network core devices are a Cisco Catalyst 3550 Switch and a Cisco PIX 515E (7.0) The C3550 will handle the traffic inside the network and connection outwards will go trough PIX Firewall.
In the work im going to divide the ports in the switch to 3 different VLANs that will be for the assumed different departments of the company. (production,offices,administration/servers etc more added if needed)
Im making Access-lists for every VLAN and I am wondering should I only use these ACLs to set what kind of traffic goes between the VLANs in the companys inside network and let PIX handle the traffic that enters and leaves the network? Should i have an ACL in the switch already preventing somekind of traffic going forward to the PIX?
I have found it abit hard building access-lists for both inbound and outbound VLAN traffic as i feel i have to open alot of ports to get the most basic traffic flowing without problem in the inside network.(Programs using ports > 1024 in the return traffic getting blocked in the return packets, unless i open alot of those larger port numbers)
Should i just limit what traffic can exit a VLAN and leave the rest of traffic flow inspection for PIX to handle? Will this provide enough security to the network provided the end stations have proper software protection and the switch is secured to prevent adding of unwanted networking devices. Im kind of unsure of the PIX device itself as my studies never crossed path with it so never got to use it before this point.
Any views on how to handle the security in different points of the network would be greatly appriciated.
- Jouni Forss