Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Web Zone and App Zone firewalls

I need some advice.

I'm told over and over again by internal staff that "if we are placing firewalls around an internet web zone, why do we need an application layer (or business logic layer) firewalled from the internal network.  Why can't we run all the application logic on the core?"

I've explained a defense in depth and protecting the core in the event that a web zone network gets compromised, but that isn't flying.  I need either a really good explanation on why I'd need an app zone set of firewalls AND/OR some links showing how this is the best architecture.

Thanks,

Thy

Everyone's tags (6)
1 REPLY

Re: Web Zone and App Zone firewalls

Hi Bro

I’m with you on this one. The Web Zone or the DMZ zone should always be well protected. After all, this is the only zone that's accessible by and open to the Internet cloud, in most organizations.

Personally, if you were to ask me, there should be at least 3 layers of network defense in most big organizations. Typically, you'll have a DMZ zone i.e. Web Server, Mid Zone i.e. Application Servers / Middleware Servers and End Zone i.e. Database Servers.

Firewalls with Layer 7 inspection aren’t good enough to be placed protecting the DMZ Zone. You'll need to supplement this with network IPS e.g. Cisco ASA 5500 Series IPS Solution. Furthermore, on the Application Servers and Database Servers, you’ll need host based IPS e.g. Cisco Security Agents. These are just my opnion.

Nonetheless, Cisco SAFE is a well done document, produced by Cisco on best practices in placing a Firewall in almost every possible scenario. This document can be found in http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap6.html

If you need a black & white confirmation from Cisco on the design portion, you could contact Cisco’s Planning, Design and Implementation Help Desk at http://www.cisco.com/web/partners/tools/pdihd.html

Once these folks have certified your design, it will be easier to engage your top management folks with your outputs, knowing it’s backed by Cisco :-)

P/S: If you think this comment is useful, please do rate them nicely :-) Please do click on the button THIS QUESTION IS ANSWERED

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
653
Views
0
Helpful
1
Replies