2 tier firewall

Answered Question
Sep 6th, 2010

Hi All,

Currently I have a 2 tier firewall setup as below.

Internet

|         |

FW - FW (PUBLIC)

|        |

SW - SW (PUBLIC)

|         |

FW - FW (PRIVATE)

|         |

SW - SW (PRIVATE)

The public firewalls are on an active-passive setup and are used to control the traffic between the Internet and Public switch.

The private firewalls are on an active-passive setup and are used to control the traffic between the Public and Private switch.

This setup will be used to serve different customers on a shared environment.

My query is that should I create the SVI for different customers on the switches or create sub interfaces on the firewalls for different customers?

If I create the SVI on the Public and Private switches than I will have to create multiple ACL which operationally might not be so feasible to managed.

If I create the sub interfaces on the Public and Private firewalls, then I cannot do rate-limiting as the firewalls currently do not support it.

Anybody have any suggestions on how to optimise the above setup or any other best practises?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 3 months ago

One final point. The advantage of having 2 NICs per server in the way i was talking about is that traffic does not need to keep bouncing off the inside of the public firewalls ie. you have a direct path between the servers and the internal network, via the private firewalls obviously.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 09/06/2010 - 08:40

noobieee7 wrote:

Hi All,

Currently I have a 2 tier firewall setup as below.

Internet

|         |

FW - FW (PUBLIC)

|        |

SW - SW (PUBLIC)

|         |

FW - FW (PRIVATE)

|         |

SW - SW (PRIVATE)

The public firewalls are on an active-passive setup and are used to control the traffic between the Internet and Public switch.

The private firewalls are on an active-passive setup and are used to control the traffic between the Public and Private switch.

This setup will be used to serve different customers on a shared environment.

My query is that should I create the SVI for different customers on the switches or create sub interfaces on the firewalls for different customers?

If I create the SVI on the Public and Private switches than I will have to create multiple ACL which operationally might not be so feasible to managed.

If I create the sub interfaces on the Public and Private firewalls, then I cannot do rate-limiting as the firewalls currently do not support it.

Anybody have any suggestions on how to optimise the above setup or any other best practises?

Actually the ASAs do support rate limiting although it might not meet all your needs. I think you have 3 options really, the 2 you mentioned +

run the ASA devices in active/active and have a context per customer ie. a virtual firewall for each customer. Note that there are restrictions on running active/active eg. you cannot run VPNs on your ASAs but these might not apply. Depending on the number of customers you may also have to purchase additional contexts.

For the most secure setup i would choose contexts. That way a misconfiguration on one customers context does not affect any other customer. Contexts are a perfect fit for a setup which involves multiple customers whose traffic should be completely segregated. If you are hosting separate customer servers as well you can extend the segregation of customers back to the L3 switches using vrf-lite.

The next best is firewall interfaces. A mistake on the firewall can still affect all customers but at least you have full stateful firewalling between customer vlans.

The last resort should be acls on the SVIs and to be honest i would be very reluctant to use these.

Jon

noobieee7 Mon, 09/06/2010 - 08:54

Hi Jon,

Thanks for the advice. Let say if I stick with running sub interfaces on the firewalls. To connect up my Public Firewall and my Private Firewall, I will need to dedicate another layer 3 physical interface on the firewalls and an access port on the Public switches to connect both of them up right?

Jon Marshall Mon, 09/06/2010 - 09:01

noobieee7 wrote:

Hi Jon,

Thanks for the advice. Let say if I stick with running sub interfaces on the firewalls. To connect up my Public Firewall and my Private Firewall, I will need to dedicate another layer 3 physical interface on the firewalls and an access port on the Public switches to connect both of them up right?

It depends on where you are segregating the traffic. If everybody comes in on the outside interface of the public firewall then if you use one physical interface to get to the private firewall you are not keeping customer traffic separate until they actually leave the inside of the private firewall and go to the internal switches. Is this what you are proposing ie. the subinterfaces for the customers would exist purely on the inside of the private firewall ?

That seems the most likely scenario and the easiest to manage so in answer to your question yes, you need a connection from public to private firewalls. This can simply be a physical interface on the public/private firewalls in the same vlan and then on the DMZ switches you would simply configure the ports that connected to both firewalls as access ports in the same vlan.

One question though - are there servers in the DMZ ie. on the public switches, that your customers are accessing and if there are are they dedicated servers per customer or shared servers ?  If there aren't then i'm struggling to see why you need 2 tiers. There must be something on those public switches ?

Jon

noobieee7 Mon, 09/06/2010 - 09:17

Hi Jon,

There are public servers on the public switches, it is dedicated for each customer.

Probably I should create another security zone on the Public Zone so as to make sure that traffic from the Internet will not get into the Private zone by any chance.

Jon Marshall Mon, 09/06/2010 - 09:22

noobieee7 wrote:

Hi Jon,

There are public servers on the public switches, it is dedicated for each customer.

Probably I should create another security zone on the Public Zone so as to make sure that traffic from the Internet will not get into the Private zone by any chance.

Sorry, just to clarify, are the customers also accessing internal devices ie. on your private network ?

If not then you should subinterface per customer on the inside of the public firewalls. You should also have a separate connection from the public firewall(s) to the public switches then to the private firewalls for traffic that needs to go out from internal to internet (if there is any).

Jon

noobieee7 Mon, 09/06/2010 - 09:25

Hi Jon,

The customer will be accessing the internals servers from their servers on the public switches.

The internal servers will not have access directly to the Internet.

Jon Marshall Mon, 09/06/2010 - 09:32

noobieee7 wrote:

Hi Jon,

The customer will be accessing the internals servers from their servers on the public switches.

The internal servers will not have access directly to the Internet.

Yes but how will they be access them ie. do they logon to the public servers and then logon to the internal servers or is it something like an application server front-end on the public switches and then the app server makes SQL calls to the backend database server which is internal ?

Basically what i'm asking is are the customers ever actually logged onto the internal servers or do the public servers proxy for them.

Jon

noobieee7 Mon, 09/06/2010 - 09:37

Hi Jon,

They logon to the public  servers and then logon to the internal servers for remote access purposes.

For actual usage, the web server will be on the public switch which call on the the database servers from the internal switch.

Jon Marshall Mon, 09/06/2010 - 09:42

noobieee7 wrote:

Hi Jon,

They logon to the public  servers and then logon to the internal servers for remote access purposes.

For actual usage, the web server will be on the public switch which call on the the database servers from the internal switch.

Right, so you need to segregate the customer traffic both in the public DMZ and internally.

One last question (promise). Are the servers dual honed or not. A common setup with 2 tier is to have a NIC with an address facing the public side and a NIC with an address facing the private internal firewalls. So traffic comes from the internet to a server in the DMZ on the public NIC and if it needs to send traffic internally it uses it's private NIC ie. the NIC facing the private firewalls.

What is the traffic flow for these servers ie. if a public server needs to talk to a private server does it send the traffic back to the inside of the public firewalls ?

Jon

noobieee7 Mon, 09/06/2010 - 09:49

Hi Jon,

The current setup is they are single honed. The public server should be sending data to the public firewall subinterface, from there it get switch to the other interface on the public firewall facing the private firewall, and then the data should be sent thru the private firewall to the private switch where the private servers are residing.

Jon Marshall Mon, 09/06/2010 - 09:53

noobieee7 wrote:

Hi Jon,

The current setup is they are single honed. The public server should be sending data to the public firewall subinterface, from there it get switch to the other interface on the public firewall facing the private firewall, and then the data should be sent thru the private firewall to the private switch where the private servers are residing.

Okay, think i've now got the picture

So you need subinterfaces on the inside of the public firewalls for each customer. Then a separate physical interface, if you have one, on both the public and the private firewalls to make a connection between the 2 firewalls. These interfaces should be in a dedicated vlan and the public switch ports would be configured as access ports in that vlan.

Then you need subinterface again on the inside of the private firewalls.

Note if you don't have a spare interface on the public firewalls you could actually use another subinterface on the physical interface for all the customer traffic.

Jon

noobieee7 Mon, 09/06/2010 - 09:55

Hi Jon,

That's right. Sorry if I got you confused there. What do you think of such a design?

Jon Marshall Mon, 09/06/2010 - 09:58

noobieee7 wrote:

Hi Jon,

That's right. Sorry if I got you confused there. What do you think of such a design?

Should be fine as long as you are careful when you configure the acls per subinterface. There isn't really a much better way to do unless you look at contexts to be honest.

Good luck with it.

Jon

Correct Answer
Jon Marshall Mon, 09/06/2010 - 10:00

One final point. The advantage of having 2 NICs per server in the way i was talking about is that traffic does not need to keep bouncing off the inside of the public firewalls ie. you have a direct path between the servers and the internal network, via the private firewalls obviously.

Jon

Actions

This Discussion