[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Yham
yhameed81 at gmail.com
Mon Aug 10 23:33:06 EDT 2020
Hello Nick,
Thanks for your comments. I kinda agree with you on avoid using transparent
mode however not clear why you wouldn't want your north-south traffic pass
through perimeter security devices (FWs). how would you protect your
network from outside if you don't have firewalls in the traffic path? I
have seen some enterprises use by-pass switches to go around the firewalls
in case of an unexpected failure from where firewalls can't recover.
Thanks
On Mon, Aug 10, 2020 at 3:41 PM Nick Hilliard <nick at foobar.org> wrote:
> Yham wrote on 10/08/2020 19:53:
> > Hello Gentlemen,
> >
> > We are redesigning the core network where we have
> > - Edge routers peering BGP with internet providers and partners
> > - Perimeter firewalls to secure north-south traffic
>
> Unless there's a specific policy objective which overrides any technical
> consideration, you may want to consider not putting firewalls inline
> like this, as they often introduce serious failure modes which are
> difficult to work around. Best case in a service provider environment,
> they should service only the addresses which need to be firewalled and
> should not be used as the default configuration for all traffic.
>
> > I wanted to ask if there are the best practices when deploying the
> > perimeter firewalls?
>
> > Is Active/Active is better than Active/Standby HA model?
>
> No, active/active is troublesome - you end up sharing state between
> multiple systems, which introduces complexity and potential for failure.
> Active/standby also keeps you honest by ensuring that you end up with
> resiliency.
>
> > Is a pair of Firewalls in Routed mode performs better than in
> > Transparent/Layer2 mode?
>
> you lose features in transparent mode, e.g. routing and a bunch of
> others. There's no compelling reason to use it for most situations.
>
> > Regarding Firewalls mode, I know you can't use some firewall features
> (such
> > as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
> > you can make certain pair of interfaces transparent to your upstream and
> > downstream and another pair of interfaces in layer3 mode for VPN, NAT
> etc.
> >
> > Any comments, please?
>
> Keep as much traffic away from firewalls as possible. Keep your
> configuration as simple as possible (this takes time and effort). If
> you're using Juniper firewalls, keep each customer in an apply-group.
>
> Nick
>
More information about the cisco-nsp
mailing list