Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
5
Replies

Firewalling Design Question

Go to solution
kevin.hu
Level 3
Level 3

‎03-23-2010 01:22 PM - edited ‎03-11-2019 10:25 AM

Hi,

Currently our network is in a hub-and-spoke topology.  At each hub site, there is a Checkpoint firewall serving as a choke point; therefore core (hub-hub) links are protected by this choke point at each hub site.

However, in a couple month, we are migrating toward MPLS VPN solution.  With any-to-any nature of MPLS, there is no choke point to enforce.  Buying brand new firewalls for each spoke sites (350 of them) is just not cost effective.  I have some ideas on how to firewalling branch traffic in MPLS VPN environment:

1. An idea is to run IOS firewall at each branch site since it is already paid for.  Could we have management issue to manage that many IOS firewalls?

2. Redirect all spoke traffic to somewhere else, inspect by the firewalls, and firewalls spit the "clean" traffic out (no idea how to do that).

3. Enforce hub-and-spoke topology within MPLS cloud.  Inspect branch traffic at the data centers.  However, "dirty" traffic could still "contiminates" other spoke sites.

What's the current industry best practice to firewalling branch traffic in MPLS VPN environment?  Any other ideas or white papers to guide me?

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kevin.hu

‎03-23-2010 02:23 PM 

kevin.hu wrote:
Jon,
How do you do firewalling in your company?  Just in the data centers?
Thanks!

Kevin

Yes, last company i worked for we used FWSM to firewall in DCs because that is where the vast majority of traffic from remote sites was going. We didn't firewall between remote sites except in circumstance where there was a sensitive protected network in a remote site. But that was us and your security requirements may differ significantly.

I have come across companies where there is a lot of inter-departmental and inter-site firewalling but you usually find they have a a sizeable security/network security dept. to cover the amount of work involved.

Jon

View solution in original post

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7

‎03-24-2010 05:08 AM

Hi Kevin,

If you were looking for some white papers have you consulted the Design Zone for Security?

It outlines best practices for a secure branch, secure campus, secure data centre etc.

http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

My experience is similar to Jon's in that one of the company's I worked for firewalled the core infrastructure in the data centre only. Branches were considered to be trusted sites.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-23-2010 01:37 PM 

kevin.hu wrote:
Hi,
Currently our network is in a hub-and-spoke topology.  At each hub site, there is a Checkpoint firewall serving as a choke point; therefore core (hub-hub) links are protected by this choke point at each hub site.
However, in a couple month, we are migrating toward MPLS VPN solution.  With any-to-any nature of MPLS, there is no choke point to enforce.  Buying brand new firewalls for each spoke sites (350 of them) is just not cost effective.  I have some ideas on how to firewalling branch traffic in MPLS VPN environment:
1. An idea is to run IOS firewall at each branch site since it is already paid for.  Could we have management issue to manage that many IOS firewalls?
2. Redirect all spoke traffic to somewhere else, inspect by the firewalls, and firewalls spit the "clean" traffic out (no idea how to do that).
3. Enforce hub-and-spoke topology within MPLS cloud.  Inspect branch traffic at the data centers.  However, "dirty" traffic could still "contiminates" other spoke sites. 
What's the current industry best practice to firewalling branch traffic in MPLS VPN environment?  Any other ideas or white papers to guide me?
Thanks.

Kevin

The main problem is, as you have pointed out, one of the big benefits of MPLS is any to any but it's not much of an advantage when you need to firewall all traffic. I'm not going to go into why you need to firewall all traffic, i'll assume you do but how much of a problem would spoke to spoke traffic be if not firewalled ? Note i'm using the term spoke for reference but obviously with MPLS any-to-any they aren't really spokes.

Your solutions -

1) Could well turn out to be a management nightmare. If you could devise a standard template with a short rule base it might work but firewalls tend to introduce problems and 350 firewalls have the potential to introduce an awful lot of problems !

I don't know whether CSM (Cisco Security Manager) can manage IOS firewall but it may be worth looking into.

2 & 3) are actually along the same lines ie. make your MPLS network resemble a hub and spoke topology using MPLS VPNs. In effect you can emulate what you have now with all traffic from spoke sites only being able to go to hub sites. Depends how much spoke-to-spoke traffic you have currently ?

MPLS is not just about any-to-any connectivity, there are other advantages but it is one of the attractive options so you will lose that functionality but i would still look at 2/3 before 1). But that does depend on traffic patterns ie. how much is spoke to hub and how much spoke to spoke.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
kevin.hu
Level 3
Level 3
In response to Jon Marshall

‎03-23-2010 01:42 PM

Jon,

How do you do firewalling in your company?  Just in the data centers?

Thanks!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kevin.hu

‎03-23-2010 02:23 PM 

kevin.hu wrote:
Jon,
How do you do firewalling in your company?  Just in the data centers?
Thanks!

Kevin

Yes, last company i worked for we used FWSM to firewall in DCs because that is where the vast majority of traffic from remote sites was going. We didn't firewall between remote sites except in circumstance where there was a sensitive protected network in a remote site. But that was us and your security requirements may differ significantly.

I have come across companies where there is a lot of inter-departmental and inter-site firewalling but you usually find they have a a sizeable security/network security dept. to cover the amount of work involved.

Jon

0 Helpful

Go to solution
sean_evershed
Level 7
Level 7

‎03-24-2010 05:08 AM

Hi Kevin,

If you were looking for some white papers have you consulted the Design Zone for Security?

It outlines best practices for a secure branch, secure campus, secure data centre etc.

http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

My experience is similar to Jon's in that one of the company's I worked for firewalled the core infrastructure in the data centre only. Branches were considered to be trusted sites.

0 Helpful

Go to solution
kevin.hu
Level 3
Level 3
In response to sean_evershed

‎03-24-2010 07:09 AM

Thanks Jon and Sean.  It helps me to understand what everyone else is doing to secure their branch.  I am looking possibly using Cisco Security Manager 4.0 to manage IOS FWs like Jon suggested.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card