In todays network there is a need for 10G server connectivity or at least more than 1G connectivity .
Attached Network1 is a simple logical design of a network where inside and outside and dmz is connected to firewall which means there are 3 zones . If traffic passes from Inside to DMZ the max data can be 1Gbps as firewall interfaces are of 1Gbps . If we want a connectivity of 10G we should go for a firewall like 5585X or ASA Service module that support 10G .
Attached Network2 is a simple logical design of a network where there are only 2 zones i.e. inside and outside . In this case even if DMZ supports 10G and there is a heavy traffic from inside zone there shouldnt be any problem because the data is not going through firewall which is expected to have 1G interfaces .
I have normally designed networks like the one in diagram of Network1 however do you guys see a problem with design like Network2 since inside zone is 100 and DMZ can be 70 which means all data from inside is going to be allowed torwards DMZ . What is the possible need for packet inspection then ?
I have to disagree with you, on your statements. Shown below are my comments. Let me know what you think :-)
Your interface maybe 1Gbps but that doesn’t mean your data transfer rate will also be 1Gbps, from Inside to DMZ and vice versa. The network traffic that passes from Inside to DMZ and vice versa is based on the Cisco FW throughout/backplane.
Heavy network traffic on the Inside could also mean broadcast storm attack, for example. Should this scenario occur, your Firewall’s CPU and Memory utilization will shoot up. This will have negative impact to DMZ, as well. I’ve seen this too many times to know this!
Personally, I don’t favor Network 2 design simply because you’re now introducing another point of failure, unless of course the number of workstations/servers are more than 7, then we have no choice but to adopt the Network 2 design.
By default, most network traffic from Inside can access DMZ (from higher security level to lower security level) but this architecture can be broken by creating ACLs. However, ACLs alone isn’t enough in securing your LAN. Hence, this is where other Cisco features such as IPS, Layer 7 Packet Inspection (MPF) etc. comes into play.
P/S: If you think this comment was helpful, please do rate them nicely :-)