×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Firewall Inspection

Answered Question
Jul 16th, 2012
User Badges:

In todays network there is a need for 10G server connectivity or at least more than 1G connectivity .



Network1

Attached Network1 is a simple logical design of a network where inside and outside and dmz is connected to firewall which means there are 3 zones . If traffic passes from Inside to DMZ the max data can be 1Gbps as firewall interfaces are of 1Gbps . If we want a connectivity of 10G we should go for a firewall like 5585X or ASA Service module that support 10G .



Network2

Attached Network2 is a simple logical design of a network where there are only 2 zones i.e. inside and outside . In this case even if DMZ supports 10G and there is a heavy traffic from inside zone there shouldnt be any problem because the data is not going through firewall which is expected to have 1G interfaces .



I have normally designed networks like the one in diagram of Network1 however do you guys see a problem with design like Network2 since inside zone is 100 and DMZ can be 70 which means all data from inside is going to be allowed torwards DMZ . What is the possible need for packet inspection then ?      

Correct Answer by Ramraj Sivagnan... about 5 years 1 month ago

Hi Bro

I have to disagree with you, on your statements. Shown below are my comments. Let me know what you think :-)


Network1

Your interface maybe 1Gbps but that doesn’t mean your data transfer rate will also be 1Gbps, from Inside to DMZ and vice versa. The network traffic that passes from Inside to DMZ and vice versa is based on the Cisco FW throughout/backplane.


Network2

Heavy network traffic on the Inside could also mean broadcast storm attack, for example. Should this scenario occur, your Firewall’s CPU and Memory utilization will shoot up. This will have negative impact to DMZ, as well. I’ve seen this too many times to know this!


Personally, I don’t favor Network 2 design simply because you’re now introducing another point of failure, unless of course the number of workstations/servers are more than 7, then we have no choice but to adopt the Network 2 design.


By default, most network traffic from Inside can access DMZ (from higher security level to lower security level) but this architecture can be broken by creating ACLs. However, ACLs alone isn’t enough in securing your LAN. Hence, this is where other Cisco features such as IPS, Layer 7 Packet Inspection (MPF) etc. comes into play.




P/S: If you think this comment was helpful, please do rate them nicely :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ramraj Sivagnan... Tue, 07/17/2012 - 12:15
User Badges:
  • Silver, 250 points or more

Hi Bro

I have to disagree with you, on your statements. Shown below are my comments. Let me know what you think :-)


Network1

Your interface maybe 1Gbps but that doesn’t mean your data transfer rate will also be 1Gbps, from Inside to DMZ and vice versa. The network traffic that passes from Inside to DMZ and vice versa is based on the Cisco FW throughout/backplane.


Network2

Heavy network traffic on the Inside could also mean broadcast storm attack, for example. Should this scenario occur, your Firewall’s CPU and Memory utilization will shoot up. This will have negative impact to DMZ, as well. I’ve seen this too many times to know this!


Personally, I don’t favor Network 2 design simply because you’re now introducing another point of failure, unless of course the number of workstations/servers are more than 7, then we have no choice but to adopt the Network 2 design.


By default, most network traffic from Inside can access DMZ (from higher security level to lower security level) but this architecture can be broken by creating ACLs. However, ACLs alone isn’t enough in securing your LAN. Hence, this is where other Cisco features such as IPS, Layer 7 Packet Inspection (MPF) etc. comes into play.




P/S: If you think this comment was helpful, please do rate them nicely :-)

communication.boy Tue, 07/17/2012 - 12:20
User Badges:

Thanks for the reply . By 1Gbps I mean maximum traffic ( keeping 1 interface in mind )  because throughput on Cisco document is based on several things configured on box . If we have different things configured of less the value will varry .

Actions

This Discussion