Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Mini Data Center Design

Hi

I have some doubts about the best solution for the design of a mini data center.

In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?

What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?

thank you

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Mini Data Center Design

Well security is a multi-faceted topic. How secure you can make things depends on part on your requirements to provide the necessary functionality for the application to work.

If the database servers don't need Internet connectivity, simply keep them on an internal-only VLAN and don't allow them to be routed out even for internally-initiated requests. If the database servers need to talk to the Internet (why that's really necessary would be a good question to ask - could a bastion host be used instead?), then lock down the rules in the FWSM with an access list that only allows specified addresses and ports as necessary for the minimally-required service to work.

In any scenario, your should scan your servers (e.g. with Nessus) and harden them to reduce their exposed attack surface. Extra steps could include things like Tripwire on the servers to further lock them down. Auditing system access - and actually looking at the logs! - also helps. Tools such as iptables on Linux servers or Windows Firewall should be leveraged to allow only communications into and out of the box as necessary for it to perform its designated function.

6 REPLIES
Hall of Fame Super Silver

Mini Data Center Design

If the VLANs don't require firewalling internal to your system, they can communicate via L3 interfaces internal to the 6500 supervisor. Isolating front end from backend via the FWSM (or an ASA) is part of a reference design advocated by Cisco which provides a higher level of isolation and security.

That said, FWSM is a very fast firewall with speed of ~5 Gbps. In a small data center example if your load does not approach that limit, any theoretical degradation would not actually be seen.

New Member

Mini Data Center Design

Hi Marvin

this case for you this is the best design:

In the future if i have a deterioration in the access to the server, I should just do an upgrade to the firewall. For example, if you have to add 10Gbps ports to the 6500 chassis, I need to replace the fwsm module or add new fwsm module.

Hall of Fame Super Silver

Mini Data Center Design

One would normally expect to see a pair of core switches for high availability. HSRP for layer 3 high availability and FWSMs in an active-standby or active-active (depending on use of contexts or not).

Scalability, as you note could be via an additional FWSM module. Other alternatives would be ASA Service Module (20 Gbps FWSM successor) or ASA 5585-X (4-40 Gbps depending on configuration). those both leverage 64-bit architecture and would be more strategic platforms moving forward.

Scalability could also be "horizontal" vs. "vertical" - i.e., more servers with a load balancer in front of them. (Ciisco ACE, F5 BigIP LTM, Citrix Netscaler, etc.) That is usually a more cost effective approach which also incidentally can help availability.

New Member

Mini Data Center Design

Marvin I didn’t put in the picture another fwsm, but in the next week we will have another 6500 chassi with another fwsm module, that was installed in other building.

I think I understand the idea, but another idea doesn’t leave my head.

If I have two separate Vlans, one with applications server and the other with data base servers, and if I want that the communication between this vlans don’t pass the fwsm because of the performance deterioration, how can I do that and at the same time secure the data base Vlan.

Thanks for the help

Hall of Fame Super Silver

Mini Data Center Design

Well security is a multi-faceted topic. How secure you can make things depends on part on your requirements to provide the necessary functionality for the application to work.

If the database servers don't need Internet connectivity, simply keep them on an internal-only VLAN and don't allow them to be routed out even for internally-initiated requests. If the database servers need to talk to the Internet (why that's really necessary would be a good question to ask - could a bastion host be used instead?), then lock down the rules in the FWSM with an access list that only allows specified addresses and ports as necessary for the minimally-required service to work.

In any scenario, your should scan your servers (e.g. with Nessus) and harden them to reduce their exposed attack surface. Extra steps could include things like Tripwire on the servers to further lock them down. Auditing system access - and actually looking at the logs! - also helps. Tools such as iptables on Linux servers or Windows Firewall should be leveraged to allow only communications into and out of the box as necessary for it to perform its designated function.

New Member

Mini Data Center Design

Thanks for the help, now I got the ideas more organized

best regards

1489
Views
0
Helpful
6
Replies