Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
2
Replies

Firewall Inspection

Go to solution
communication.boy
Level 1
Level 1

‎07-16-2012 08:16 AM - edited ‎03-11-2019 04:31 PM

In todays network there is a need for 10G server connectivity or at least more than 1G connectivity .

Network1

Attached Network1 is a simple logical design of a network where inside and outside and dmz is connected to firewall which means there are 3 zones . If traffic passes from Inside to DMZ the max data can be 1Gbps as firewall interfaces are of 1Gbps . If we want a connectivity of 10G we should go for a firewall like 5585X or ASA Service module that support 10G .

Network2

Attached Network2 is a simple logical design of a network where there are only 2 zones i.e. inside and outside . In this case even if DMZ supports 10G and there is a heavy traffic from inside zone there shouldnt be any problem because the data is not going through firewall which is expected to have 1G interfaces .

I have normally designed networks like the one in diagram of Network1 however do you guys see a problem with design like Network2 since inside zone is 100 and DMZ can be 70 which means all data from inside is going to be allowed torwards DMZ . What is the possible need for packet inspection then ?      

Labels:
Preview file
27 KB
Preview file
32 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-17-2012 12:15 PM

Hi Bro

I have to disagree with you, on your statements. Shown below are my comments. Let me know what you think :-)

Network1

Your interface maybe 1Gbps but that doesn’t mean your data transfer rate will also be 1Gbps, from Inside to DMZ and vice versa. The network traffic that passes from Inside to DMZ and vice versa is based on the Cisco FW throughout/backplane.

Network2

Heavy network traffic on the Inside could also mean broadcast storm attack, for example. Should this scenario occur, your Firewall’s CPU and Memory utilization will shoot up. This will have negative impact to DMZ, as well. I’ve seen this too many times to know this!

Personally, I don’t favor Network 2 design simply because you’re now introducing another point of failure, unless of course the number of workstations/servers are more than 7, then we have no choice but to adopt the Network 2 design.

By default, most network traffic from Inside can access DMZ (from higher security level to lower security level) but this architecture can be broken by creating ACLs. However, ACLs alone isn’t enough in securing your LAN. Hence, this is where other Cisco features such as IPS, Layer 7 Packet Inspection (MPF) etc. comes into play.

P/S: If you think this comment was helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-17-2012 12:15 PM

Hi Bro

I have to disagree with you, on your statements. Shown below are my comments. Let me know what you think :-)

Network1

Your interface maybe 1Gbps but that doesn’t mean your data transfer rate will also be 1Gbps, from Inside to DMZ and vice versa. The network traffic that passes from Inside to DMZ and vice versa is based on the Cisco FW throughout/backplane.

Network2

Heavy network traffic on the Inside could also mean broadcast storm attack, for example. Should this scenario occur, your Firewall’s CPU and Memory utilization will shoot up. This will have negative impact to DMZ, as well. I’ve seen this too many times to know this!

Personally, I don’t favor Network 2 design simply because you’re now introducing another point of failure, unless of course the number of workstations/servers are more than 7, then we have no choice but to adopt the Network 2 design.

By default, most network traffic from Inside can access DMZ (from higher security level to lower security level) but this architecture can be broken by creating ACLs. However, ACLs alone isn’t enough in securing your LAN. Hence, this is where other Cisco features such as IPS, Layer 7 Packet Inspection (MPF) etc. comes into play.

P/S: If you think this comment was helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
communication.boy
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎07-17-2012 12:20 PM

Thanks for the reply . By 1Gbps I mean maximum traffic ( keeping 1 interface in mind )  because throughput on Cisco document is based on several things configured on box . If we have different things configured of less the value will varry .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card