Reducing firewall traffic

Posted on 2003-04-01
Medium Priority
Last Modified: 2010-03-18
Hello!  I have a PIX firewall 515, which segregates two private networks from each other and the Internet.  One of these networks is a DMZ, where all the Internet-exposed hosts reside.  The other houses all user workstations and several key production servers, such as SQL.  Lately, we have noticed the firewall has become very strained during certain parts of the day, particularly when user Internet traffic is high and the DMZ web/ftp servers are taking a lot of hits.  There is a lot of communication between the web servers in the DMZ and the SQL servers "inside."  Also, our Exchange server resides in the DMZ, so users are constantly traversing the firewall for email.

Currently, a PIX firewall upgrade is not feasible, but I do have a limited budget at my disposal.  My thought is that I could install a new switch and additional NIC's, into all the servers that must communicate across the firewall, thus creating a non-routed private network that only these servers are aware of and could use for passing data back and forth.

DMZ:  -  Firewall port 1
Inside:  -  Firewall port 2
Internet:  Firewall port 3
New:  -  No firewall, routing, just one switch

All of the new NIC's in the servers would be assigned a 192.168.105.x address and would plug into this new switch.  The desired result is that the firewall only handles traffic to and from the Internet between users and the Exchange server, and a non-routed network exists for server intercommunication.

My question:  Is this a feasible solution, and if so, what are the caveats or other considerations?  Is it a common practice to do this?

Thank you!
Question by:jm3245
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Expert Comment

ID: 8250485
Your concerns are valid, and the 515 underpowered for what you're asking it to do. It is not common practice to multi-home the servers because what you are doing in essence is turning each server into a firewall. Considering the risks, it's not a good idea.
You could move the Exchange server back into the inside, and setup a mail relay host in the DMZ to forward internet mail to the exchange server, or just pass SMTP mail from outside to inside. This is actually the most recommended configuration for Exchange.

Expert Comment

ID: 8253569
are you using some form of proxy server for web surfing, try putting the proxy server if you have one in parallel in the firewall, of course it will cause security problems, but a huge bandwidth advantage because it wont interact with the pix and regarding the email definately take it out of the dmz and put it closiest to the clients.

Expert Comment

ID: 8253704
If possible on the PIX, why not do redirection to the servers inside the protected LAN instead of the DMZ?  This way, the users don't have to traverse the firewall for mail and other server services.  Alos, this way keeps the servers NATted in a separate LAN from the Internet.  Assign multiple public IPs to the external port of the PIX and route traffic coming to that IP to the appropriate server inside such that a request for X.X.X.X forwards to 192.168.y.y inside.  Not sure if you've tried this or not, but it seems to make more sense than having users go outside for something like e-mail.

My understanding of a DMZ is that, while it is protected, it is not subject to the same rules that LAN nodes would be subject to.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 8254378
OK, Irmoore.  I am going to investigate your suggestion.  I had been reluctant to use an SMTP relay, as I hear ffrom others it is very difficult to get working.  Originally, I wanted to use the front end server capabilities of Exchange 2000.  But typical Microsoft, this option is only available with the Enterprise edition, which only seems to be noted in the fine print.

Aside from that, do you really think the email traffic is the culprit here with the 515?  Even following your suggestion, I'll still have the issue of the web servers exchanging information with the SQL servers across the firewall.
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 8254642
You'll take half the load off the PIX by reducing the internal traffic to/from the Exchange server.

You can reduce more traffic, and create a more secure link if you create an IPSEC tunnel between the web server and the PIX, and send all the back-end database traffic through this IPSEC tunnel. The PIX does not have to examine the packets inside the tunnel...

Author Comment

ID: 8266016
Thank you!  Moving the Exchange server inside has definitely improved end-user Outlook responsiveness.  Will have to wait and monitor firewall for awhile, but all looks good so far.  IPSec tunneling has been added to the to-do list.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question