DMZ Topology change

gregbeifuss · ‎08-25-2009

I've inherited a DMZ network that doesn't follow good security principles. Some hosts in the DMZ are dual-homed and the 2nd network connection is directly on the internal network:

Internal --- ASA ----- Internal Network

| |

L-----------DMZ

(The DMZ is directly connected to the ASA as well but I can't draw it clearly)

What I'd like to do is reconfigure it so I have a dual-firewall setup:

Internal---ASA---DMZ---ASA---Internet

I'm having a difficult time conceptualizing a plan of attack for this work. Can anyone give me their overview on how they'd tackle this task?

Thanks in advance,

Greg

Jon Marshall · ‎08-25-2009

Greg

Are you proposing to buy another firewall ?

Do you have a proxy server in the DMZ for internal clients to access the Internet ?

Jon

gregbeifuss · ‎08-26-2009

I have a 2nd ASA already on hand that I'd like to use.

Internet surfing for our internal clients is handled by a different ISP link/firewall pair. The setup I'm looking to change is only the DMZ for hosted services. Internet requests for our websites/mail need to come in, and the DMZ hosts need to communicate with the back-end internal servers.

Jon Marshall · ‎08-26-2009

Greg

Okay, then it is relatively easy to do as you do not need a direct path between your internal and external ASAs.

Basically what happens is that each server is on 2 vlans.

There is a vlan that is connected to the external ASA and it is on this vlan that requests from the Internet arrive at the servers.

Then there is a vlan that is connected to the internal ASA and it is on this vlan that the servers make connections to your back-end servers inside your network.

You can use multiple vlans ie. you dont have to have just one external vlan and one internal vlan - its up to you.

Key thing is to make sure you disable IP routing on the servers.

Jon