Well our organization is planning to implement security in Datacenter for Server Farm. Therefore we are purchasing ASA 5585-X series devices. I need your suggestion that how we can implement firewall b/w Core Switch and Server Farm switch
According to my suggestion:
1. Firewall is in transparent mode (because all server gateways will be core switch)
2. Ether channel between Core switch and Firewall and b/w Server farm switch and Firewall
3. Interfaces b/w Core switch and Firewall and b/w Server farm switch and Firewall must be trunk
4. Interfaces B/w Core switch and Firewall must be outside zone and b/w Server farm switch and Firewall must be inside zone.
5. And ACL will be applied at Outside interface IN direction.
Suggestion is required.
I am wondering, what you are trying to secure with the firewall. Do you have multiple organizations connecting to you access switch in the server farm in different vlans? If yes, ACLs on the router can block vlan communication. If it is all the same organization residing on the same switch, then what is the purpose of the firewall?
No, we dont connecting multiple organiztaions. We only want to secure Server Farm through ACLs by using firewall.And we dont want Core switch to use as a Firewall.
We only want to secure Server Farm through ACLs by using firewall.
Wow, that is a very pricey option. A router with properly defined ACL will suffice.
But in future we also need to deploy IPS option and the said firewall has module for IPS.
And you position the ASA between your core switch and your server farm?
Managing traditionnal ACLs can be a nightmare with dynamic protocols (ftp for instance, or protocols used by unified communications), a firewall will be easier for administration.
Our company is looking into implementing a DC firewall solution too. We're evaluating other firewall vendors that support full dynamic routing protocols as well as statefull packet inspection. I always thought of the ASA of just being a firewall first, not using any dynamic routing protocols on it.