Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

Reducing firewall traffic

Hello!  I have a PIX firewall 515, which segregates two private networks from each other and the Internet.  One of these networks is a DMZ, where all the Internet-exposed hosts reside.  The other houses all user workstations and several key production servers, such as SQL.  Lately, we have noticed the firewall has become very strained during certain parts of the day, particularly when user Internet traffic is high and the DMZ web/ftp servers are taking a lot of hits.  There is a lot of communication between the web servers in the DMZ and the SQL servers "inside."  Also, our Exchange server resides in the DMZ, so users are constantly traversing the firewall for email.

Currently, a PIX firewall upgrade is not feasible, but I do have a limited budget at my disposal.  My thought is that I could install a new switch and additional NIC's, into all the servers that must communicate across the firewall, thus creating a non-routed private network that only these servers are aware of and could use for passing data back and forth.

DMZ:  -  Firewall port 1
Inside:  -  Firewall port 2
Internet:  Firewall port 3
New:  -  No firewall, routing, just one switch

All of the new NIC's in the servers would be assigned a 192.168.105.x address and would plug into this new switch.  The desired result is that the firewall only handles traffic to and from the Internet between users and the Exchange server, and a non-routed network exists for server intercommunication.

My question:  Is this a feasible solution, and if so, what are the caveats or other considerations?  Is it a common practice to do this?

Thank you!
1 Solution
Your concerns are valid, and the 515 underpowered for what you're asking it to do. It is not common practice to multi-home the servers because what you are doing in essence is turning each server into a firewall. Considering the risks, it's not a good idea.
You could move the Exchange server back into the inside, and setup a mail relay host in the DMZ to forward internet mail to the exchange server, or just pass SMTP mail from outside to inside. This is actually the most recommended configuration for Exchange.
are you using some form of proxy server for web surfing, try putting the proxy server if you have one in parallel in the firewall, of course it will cause security problems, but a huge bandwidth advantage because it wont interact with the pix and regarding the email definately take it out of the dmz and put it closiest to the clients.
If possible on the PIX, why not do redirection to the servers inside the protected LAN instead of the DMZ?  This way, the users don't have to traverse the firewall for mail and other server services.  Alos, this way keeps the servers NATted in a separate LAN from the Internet.  Assign multiple public IPs to the external port of the PIX and route traffic coming to that IP to the appropriate server inside such that a request for X.X.X.X forwards to 192.168.y.y inside.  Not sure if you've tried this or not, but it seems to make more sense than having users go outside for something like e-mail.

My understanding of a DMZ is that, while it is protected, it is not subject to the same rules that LAN nodes would be subject to.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

jm3245Author Commented:
OK, Irmoore.  I am going to investigate your suggestion.  I had been reluctant to use an SMTP relay, as I hear ffrom others it is very difficult to get working.  Originally, I wanted to use the front end server capabilities of Exchange 2000.  But typical Microsoft, this option is only available with the Enterprise edition, which only seems to be noted in the fine print.

Aside from that, do you really think the email traffic is the culprit here with the 515?  Even following your suggestion, I'll still have the issue of the web servers exchanging information with the SQL servers across the firewall.
You'll take half the load off the PIX by reducing the internal traffic to/from the Exchange server.

You can reduce more traffic, and create a more secure link if you create an IPSEC tunnel between the web server and the PIX, and send all the back-end database traffic through this IPSEC tunnel. The PIX does not have to examine the packets inside the tunnel...
jm3245Author Commented:
Thank you!  Moving the Exchange server inside has definitely improved end-user Outlook responsiveness.  Will have to wait and monitor firewall for awhile, but all looks good so far.  IPSec tunneling has been added to the to-do list.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now