Firewalling Design Question

Answered Question
Mar 23rd, 2010

Hi,

Currently our network is in a hub-and-spoke topology.  At each hub site, there is a Checkpoint firewall serving as a choke point; therefore core (hub-hub) links are protected by this choke point at each hub site.

However, in a couple month, we are migrating toward MPLS VPN solution.  With any-to-any nature of MPLS, there is no choke point to enforce.  Buying brand new firewalls for each spoke sites (350 of them) is just not cost effective.  I have some ideas on how to firewalling branch traffic in MPLS VPN environment:

1. An idea is to run IOS firewall at each branch site since it is already paid for.  Could we have management issue to manage that many IOS firewalls?

2. Redirect all spoke traffic to somewhere else, inspect by the firewalls, and firewalls spit the "clean" traffic out (no idea how to do that).

3. Enforce hub-and-spoke topology within MPLS cloud.  Inspect branch traffic at the data centers.  However, "dirty" traffic could still "contiminates" other spoke sites.

What's the current industry best practice to firewalling branch traffic in MPLS VPN environment?  Any other ideas or white papers to guide me?

Thanks.

I have this problem too.
0 votes
Correct Answer by sean_evershed about 6 years 10 months ago

Hi Kevin,

If you were looking for some white papers have you consulted the Design Zone for Security?

It outlines best practices for a secure branch, secure campus, secure data centre etc.

http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

My experience is similar to Jon's in that one of the company's I worked for firewalled the core infrastructure in the data centre only. Branches were considered to be trusted sites.

Correct Answer by Jon Marshall about 6 years 10 months ago

kevin.hu wrote:

Jon,

How do you do firewalling in your company?  Just in the data centers?

Thanks!

Kevin

Yes, last company i worked for we used FWSM to firewall in DCs because that is where the vast majority of traffic from remote sites was going. We didn't firewall between remote sites except in circumstance where there was a sensitive protected network in a remote site. But that was us and your security requirements may differ significantly.

I have come across companies where there is a lot of inter-departmental and inter-site firewalling but you usually find they have a a sizeable security/network security dept. to cover the amount of work involved.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Tue, 03/23/2010 - 13:37

kevin.hu wrote:

Hi,

Currently our network is in a hub-and-spoke topology.  At each hub site, there is a Checkpoint firewall serving as a choke point; therefore core (hub-hub) links are protected by this choke point at each hub site.

However, in a couple month, we are migrating toward MPLS VPN solution.  With any-to-any nature of MPLS, there is no choke point to enforce.  Buying brand new firewalls for each spoke sites (350 of them) is just not cost effective.  I have some ideas on how to firewalling branch traffic in MPLS VPN environment:

1. An idea is to run IOS firewall at each branch site since it is already paid for.  Could we have management issue to manage that many IOS firewalls?

2. Redirect all spoke traffic to somewhere else, inspect by the firewalls, and firewalls spit the "clean" traffic out (no idea how to do that).

3. Enforce hub-and-spoke topology within MPLS cloud.  Inspect branch traffic at the data centers.  However, "dirty" traffic could still "contiminates" other spoke sites.

What's the current industry best practice to firewalling branch traffic in MPLS VPN environment?  Any other ideas or white papers to guide me?

Thanks.

Kevin

The main problem is, as you have pointed out, one of the big benefits of MPLS is any to any but it's not much of an advantage when you need to firewall all traffic. I'm not going to go into why you need to firewall all traffic, i'll assume you do but how much of a problem would spoke to spoke traffic be if not firewalled ? Note i'm using the term spoke for reference but obviously with MPLS any-to-any they aren't really spokes.

Your solutions -

1) Could well turn out to be a management nightmare. If you could devise a standard template with a short rule base it might work but firewalls tend to introduce problems and 350 firewalls have the potential to introduce an awful lot of problems !

I don't know whether CSM (Cisco Security Manager) can manage IOS firewall but it may be worth looking into.

2 & 3) are actually along the same lines ie. make your MPLS network resemble a hub and spoke topology using MPLS VPNs. In effect you can emulate what you have now with all traffic from spoke sites only being able to go to hub sites. Depends how much spoke-to-spoke traffic you have currently ?

MPLS is not just about any-to-any connectivity, there are other advantages but it is one of the attractive options so you will lose that functionality but i would still look at 2/3 before 1). But that does depend on traffic patterns ie. how much is spoke to hub and how much spoke to spoke.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

kevin.hu Tue, 03/23/2010 - 13:42

Jon,

How do you do firewalling in your company?  Just in the data centers?

Thanks!

Correct Answer
Jon Marshall Tue, 03/23/2010 - 14:23

kevin.hu wrote:

Jon,

How do you do firewalling in your company?  Just in the data centers?

Thanks!

Kevin

Yes, last company i worked for we used FWSM to firewall in DCs because that is where the vast majority of traffic from remote sites was going. We didn't firewall between remote sites except in circumstance where there was a sensitive protected network in a remote site. But that was us and your security requirements may differ significantly.

I have come across companies where there is a lot of inter-departmental and inter-site firewalling but you usually find they have a a sizeable security/network security dept. to cover the amount of work involved.

Jon

Correct Answer
sean_evershed Wed, 03/24/2010 - 05:08

Hi Kevin,

If you were looking for some white papers have you consulted the Design Zone for Security?

It outlines best practices for a secure branch, secure campus, secure data centre etc.

http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

My experience is similar to Jon's in that one of the company's I worked for firewalled the core infrastructure in the data centre only. Branches were considered to be trusted sites.

kevin.hu Wed, 03/24/2010 - 07:09

Thanks Jon and Sean.  It helps me to understand what everyone else is doing to secure their branch.  I am looking possibly using Cisco Security Manager 4.0 to manage IOS FWs like Jon suggested.

Actions

This Discussion