Server isolation

Answered Question
Jan 27th, 2009
User Badges:

Greetings,


We are looking into isolating our servers in our data center and would

like your thoughts on the best way to approach this. We have a mesh network (MPLS) with 14 remote locations and a data center. The data center network ID is 10.10.110.0 and the servers I'd

like to isolate are in that network range (along with PCs and printers).

I'm thinking that what we would need to do is assign one of our switches

to be used just for servers, assign that switch (and the servers) IP

addresses different from the data center (like 10.10.111.x) and connect

the isolated nework with the data center via a muli-homed router. That

connection would allow us a 'choke point' that we could either set up

with a firewall or IPS.


Thanks,

Chris

Correct Answer by Jon Marshall about 8 years 2 months ago

Chris


No problem. Didn't want to make the decision harder :-). If you have further queries later on please come back.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 01/27/2009 - 11:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


Certainly putting the servers on their own subnet makes a lot of sense and makes it much easier to apply security policies etc. What you might want to consider is leaving the servers on the 10.10.110.x network and readdressing printers/pc's as these are usually less susceptible to hard coded IP addresses within applications. Just a suggestion.


As for firewalling/IPS depends on throughput needed and current network devices in use in the data centre. Just be aware that firewalling at least introduces addtional latency so you need to factor this in. Basically just don't put the servers behind a firewall that cannot keep up with the traffic.


Jon

christopher_hal... Tue, 01/27/2009 - 12:11
User Badges:

Thanks for the quick reply, Jon. I too was thinking about pc/printer readdressing....it would certainly be easier. The main goal for the project would be to isolating the servers and creating a 'choke point' (while not choking ourselves). Would my assumptions be correct about needing a router to handle moving traffic between the servers and pc/printers? So, physically, it would be router (wan traffic) ==> Switch1 (servers)==> router (internal) ==> Switch2-4 (PCs/printers).

Jon Marshall Tue, 01/27/2009 - 12:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


What type of switches are you currently using. You only need a router if you don't already have a L3 switch.


Also bear in mind that a firewall can route between subnets as well as a router although a router supports more routing protocols etc. And to complicate things even more :-), you can load a firewall feature set on a router as well !


Which devices do you currently use ?

What is the level of expertise in your company in terms of IOS vs ASA/Pix firewalls ?


Jon

christopher_hal... Tue, 01/27/2009 - 12:21
User Badges:

Actually, we do have a L3 switch. We're using 3560s. I've been working with ios for several years at this point, though it's one of many hats I wear;P And have worked with the old 515e pix, though that has been a couple years ago. We would actually use an IPS...currently it's in passive mode, which only provides us with alerting. Creating this choke point would allow us to put the device in in-line mode, which would allow us to remediate (drop traffic,etc, based on rulesets). Not sure if the IPS would handle any routing.


Chris

Jon Marshall Tue, 01/27/2009 - 12:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


You could simply create a new vlan on your 3560 switch and use the 3560 to route between them. At a basic level you could use ACL's on the 3560 vlan interfaces to control traffic to the server vlan.


That is basic level security. I don't have a huge amount of experience of IPS but you may well be able to put it inline in transparent mode so the server vlan is still routed off the 3560 but the traffic has to go through the IPS to get to the servers.


Then your next step is to look at a firewall that connects to the 3560 and the 3560 then routes to the outside of the firewall. The servers are on the inside of the firewall. You would either need another switch for the servers or you could use a vlan on the 3560 but not route it on the 3560 ie. the L3 interface for the servers are on the firewall.


There are as you can see a number of options. Perhaps the best thing to begin with is to decide the level of security you need for the servers ie. would acl's on the 3560 be a good start ? and also if you are looking to purchase an additional firewall/router is there additional functionality you would need/like from the device.


That should help you narrow down your options.


Jon

Correct Answer
Jon Marshall Tue, 01/27/2009 - 13:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


No problem. Didn't want to make the decision harder :-). If you have further queries later on please come back.


Jon

Actions

This Discussion