Designing a network model

Jouni Forss · ‎05-23-2007

Hi,

Let me start saying that im pretty newbie still considering networking. I have studied CCNA and CCNP in my school and am now working on my final work which is to design a basic network model that can be applied into small to medium sized companies.

The network core devices are a Cisco Catalyst 3550 Switch and a Cisco PIX 515E (7.0) The C3550 will handle the traffic inside the network and connection outwards will go trough PIX Firewall.

In the work im going to divide the ports in the switch to 3 different VLANs that will be for the assumed different departments of the company. (production,offices,administration/servers etc more added if needed)

Im making Access-lists for every VLAN and I am wondering should I only use these ACLs to set what kind of traffic goes between the VLANs in the companys inside network and let PIX handle the traffic that enters and leaves the network? Should i have an ACL in the switch already preventing somekind of traffic going forward to the PIX?

I have found it abit hard building access-lists for both inbound and outbound VLAN traffic as i feel i have to open alot of ports to get the most basic traffic flowing without problem in the inside network.(Programs using ports > 1024 in the return traffic getting blocked in the return packets, unless i open alot of those larger port numbers)

Should i just limit what traffic can exit a VLAN and leave the rest of traffic flow inspection for PIX to handle? Will this provide enough security to the network provided the end stations have proper software protection and the switch is secured to prevent adding of unwanted networking devices. Im kind of unsure of the PIX device itself as my studies never crossed path with it so never got to use it before this point.

Any views on how to handle the security in different points of the network would be greatly appriciated.

- Jouni Forss

Jon Marshall · ‎05-23-2007

Hi

Firstly you need to decide what type of internal traffic can flow between your internal vlans. For maximum security you can tie down all traffic both inbound and outbound on each vlan interface but this is quite a detailed and complex process. What is the main driver to restrict traffic between your vlans. ( Note that we are not talking about traffic coming from and going to the pix yet, just traffic going between your internal vlans )

If you do need to restrict what traffic can go between vlans then you could just restrict what traffic can exit the vlan destined for another internal vlan.

As far as your pix is concerned this should be your main point of security from the outside world as it is a dedicated firewall device. You should limit not just what can come in from the outside but also what can be sent from your internal vlans to the outside. Let the pix handle any traffic that is not inter-vlan traffic within your network.

Put simply what are your major concerns - inter-vlan traffic or traffic to and from the outside.

If inter-vlan traffic really is a major concern then you should to firewall the vlans internally. This may well be overkill for your environment but only you can say.

Hope this helps, please come back with any more questions

Jon

Jouni Forss · ‎05-24-2007

Thanks for the fast reply,

As we havent gone indepth with securing a network in our studies I feel the need to find as much info on the best practices to secure a network. All our studies have given a pretty narrow look into the ways to do that.

Im pretty sure i will go with applying outbound traffic ACLs to each VLAN and after the switch has been secured will move onto configuring the PIX.

Basicly the main idea is to have all the different departments connect to the server

VLAN for resources. Only the office and admin/server VLAN will have connection to outside world. This is ofcourse just a basic idea to start building the configuration on and the ACLs would probably change depending on the real life application situation.

Also one point was to build a possibility for VPN connections to the server VLAN from outside world which is another thing i need to get into after the switch. These connection would be coming from perhaps home office or such places with DSL connection to perform some remote management on the servers and such.

The customers using this type of network model would be mostly behind slow connections and there wouldnt be any high load traffic going out or inside the network. (DSL etc connections)

By reading info on the PIX i presume that in this situation it would be best to use it in Transparent mode between the C3550 and the DSL modem in question. Or maybe use PIX in routed mode and configure the outside interface to get its IP address with DHCP from the DSL modem? Or maybe some static configuration would be better there.

One thing i would like to know about the PIX is that does it have some basic settings that would make it possible to basicly insert it to the network and it would provide some basic protection already? I guess if theres some good base that i could start building the configuration suited for the network in question.

I find myself lacking alot of basic information concerning Firewalls/PIX even though it should be really essential in my studies. Thats why i would like to know how much does PIX ability to keep the network secured depend on the the right type of configuration or does it perform most of its measures to intercept harmfull traffic automatically with some built in methods? (Not really sure on my choice of words)

I guess at this point i would really appriciate any tips that any of you expirienced PIX users could give me to set me on way configuring my firewall to provide sufficient protection for the network.

- Jouni Forss