Reducing firewall traffic
Posted on 2003-04-01
Hello! I have a PIX firewall 515, which segregates two private networks from each other and the Internet. One of these networks is a DMZ, where all the Internet-exposed hosts reside. The other houses all user workstations and several key production servers, such as SQL. Lately, we have noticed the firewall has become very strained during certain parts of the day, particularly when user Internet traffic is high and the DMZ web/ftp servers are taking a lot of hits. There is a lot of communication between the web servers in the DMZ and the SQL servers "inside." Also, our Exchange server resides in the DMZ, so users are constantly traversing the firewall for email.
Currently, a PIX firewall upgrade is not feasible, but I do have a limited budget at my disposal. My thought is that I could install a new switch and additional NIC's, into all the servers that must communicate across the firewall, thus creating a non-routed private network that only these servers are aware of and could use for passing data back and forth.
DMZ: 192.168.200.0/24 - Firewall port 1
Inside: 192.168.100.0/24 - Firewall port 2
Internet: Firewall port 3
New: 192.168.105.0/24 - No firewall, routing, just one switch
All of the new NIC's in the servers would be assigned a 192.168.105.x address and would plug into this new switch. The desired result is that the firewall only handles traffic to and from the Internet between users and the Exchange server, and a non-routed network exists for server intercommunication.
My question: Is this a feasible solution, and if so, what are the caveats or other considerations? Is it a common practice to do this?