04-01-2009 08:08 AM - edited 03-11-2019 08:13 AM
Is it possible to create the following design:
1) Multiple Contexts: Customer Internal Network; Business Partner A, Business Partner B
2) Customer net can talk to Business Partner A and B (from the inside)
3) Business Partners can't talk to each other.
If this is possible, am I gaining any additional security with using this type of context design vs. putting the business partner connectivity in DMZ interfaces and using ACLs?
04-01-2009 01:27 PM
Is there a specific reason why you would not have a single context and use a different interface for Internal, BP-A, and BP-B? It's possible to do it with multiple contexts, but I think it would be easier to do it with a single context.
Hope that helps.
04-02-2009 04:51 AM
No specific reason. My reasoning (which may be convoluted are completely off) was to give each business partner the security of being seperated by a virtual firewall from one another. It's not a strict requirement, but more of a design "thought" I had when reviewing the functionality of contexts. It sounds like I'm making it more complicated than it needs to be?
04-02-2009 06:11 AM
I can understand your thinking, but IMO using a single context can be just as secure. I only use multiple contexts when necessary. Also keep in mind that you can not use VPN with multiple contexts.
04-02-2009 06:35 AM
Hi Colin - Thanks for the feedback. I've had similar feedback from other engineers I spoke with offline. I will very likely go back to the single context mode. Would you suggest using DMZ's as part of the design?
04-02-2009 06:42 AM
Absolutely. I would create a new DMZ for each customer. Use 'inside' for your internal network and 'outside' for the public network if you have that connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide