[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Nick Hilliard
nick at foobar.org
Mon Aug 10 15:41:10 EDT 2020
Yham wrote on 10/08/2020 19:53:
> Hello Gentlemen,
>
> We are redesigning the core network where we have
> - Edge routers peering BGP with internet providers and partners
> - Perimeter firewalls to secure north-south traffic
Unless there's a specific policy objective which overrides any technical
consideration, you may want to consider not putting firewalls inline
like this, as they often introduce serious failure modes which are
difficult to work around. Best case in a service provider environment,
they should service only the addresses which need to be firewalled and
should not be used as the default configuration for all traffic.
> I wanted to ask if there are the best practices when deploying the
> perimeter firewalls?
> Is Active/Active is better than Active/Standby HA model?
No, active/active is troublesome - you end up sharing state between
multiple systems, which introduces complexity and potential for failure.
Active/standby also keeps you honest by ensuring that you end up with
resiliency.
> Is a pair of Firewalls in Routed mode performs better than in
> Transparent/Layer2 mode?
you lose features in transparent mode, e.g. routing and a bunch of
others. There's no compelling reason to use it for most situations.
> Regarding Firewalls mode, I know you can't use some firewall features (such
> as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
> you can make certain pair of interfaces transparent to your upstream and
> downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.
>
> Any comments, please?
Keep as much traffic away from firewalls as possible. Keep your
configuration as simple as possible (this takes time and effort). If
you're using Juniper firewalls, keep each customer in an apply-group.
Nick
More information about the cisco-nsp
mailing list