ASA - DMZ vs. VPN site-to-site

Unanswered Question
Jun 17th, 2008

Hi all I have an interesting situation and I need to know which solution is better from security standpoint.

In effect we have 2 networks that will run side by side with each other(picture named Option1) but with no physical connection(they are both in the same physical location). It was previously thought that those 2 networks shouldn't have any direct physical contact between them and when we need to connect to the servers from the core network we will use a VPN site-to-site to connect for uploading,administration,etc to improve security.

But now we are thinking of something else.We are thinking of creating a DMZ on the ASA of the core network and connecting to the server network through that DMZ for the uploading/administration purposes(picture named Option2).The server network will still access the internet through it's routers, users from internet will use internet links from server network to access the servers and only communication between 2 networks will be from the core network for the upload/administration purposes. Nothing will be allowed from server network to core network.

Which solution will work better and is more secure in your opinion? They both seem to have equal merit.Any help is appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 06/17/2008 - 18:50

Option 1 is pretty bad design IMHO. You have to always balance between security and accessibility. Why would you use a VPN from the internet and 'trust' that over a direct link between the ASA's connected over the same physical location? Also it would be bandwidth intensive.

Option 2 also needs to be modified. Remove the new link you added in option 2. Instead add a link interconnecting the two ASAs directly (this way you have one more filtenig point).

Then on your Server's ASA add a separate DMZ zone. The servers requiring internet access should be placed there. All other servers should remain on the 'inside' zone. On the Server's ASA - put an ACL on this new interface which interconnects the two ASA's allowing only management/other desired traffic.




This Discussion