My name is Jay Kishan and I am currently working as a network administrator in my company. We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN).
Anyways, so now my manager wants me to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. I think that by putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support.
I just want to know the best practice the industry follows for firewalling in a server farm and the main reasons for it. I am searching for some solution myself but would really appreciate any help. As far as I could find, only critical servers are placed behind a firewall in a separate VLAN and inbound and outbound traffic for that VLAN is passed through the firewall. Also, what is the best thing to do. Place a separate hardware firewall like ASA5510 or use FWSM in Cisco 6500.
Thanks in advance.
ASA is typically an edge device (due to capability to do VPN), but it's not that uncommon to see a multicontext ASA 5580 in DC (lately).
FWSM is what you would typically see in ditribution layer.
Below is a really badly organized but hopefully you will be able to make some sense out of it.
Some best practice to follow.
- KISS principle - if you're adding more then 10th vlan on FWSM or ASA you're probably doing something wrong. If your routing table has just blown up, you're not summarizing enough (screwed up while allocating address spaces).
- Inter-server or inter-user communication (replication or apps like memcached, DNS traffic) try to design it not to pass through firewall, consider using private vlans instead.
- If separate rule sets required for different vlan - use multiple context firewalls instead (consider using transparent mode if no NAT or routing needed)
- You would typically put a firewall to separate users from internet and servers. Try to keep it in mind and police traffic between users (/servers) when needed.
Bottom line - traffic that needs to be fast - switch it, don't route it.
If you want some servers to communicate on one vlan and some other not - use private vlans.
Traffic that needs to be check against policy (access-lists etc.) route it to firewall (or use transparent firewall on that vlan).
CCDA self study guide
CCDP - ARCH book.