How to best secure a network with many servers you do not control completely, VLAN or firewall on switch?
Posted on 2008-11-05
Hello all, We are planning to host servers for our clients and employees, mostly as a favor and not as a core business, and we are in planning of the network part of the infrastructure.
Basically, we would like to use a firewall (cisco ASA 5510) and switches, but don't want to have 1 firewall per server. Also, the setup gets more complex because some servers need to be in a domain, but we would like to secure them so that they can speak with the domain, but not see other domain members (ip wise) but as the servers themselves have users that can manage them completely, a software firewall is out of the question.
So I have two likely scenarios, and one spinoff that's a mix and match of both, and I would love your input as to which products would work well, and how to configure this so it's secure, efficient, and if possible, manageable without taking too long to set up a new server ;-)
1) Use different VLANs for each "client" network, with the firewall acting as a router to route vlans. I am a bit unfamiliar with a setup with the many vlans that would need to be created (upwards of 20 eventually) and how that would work on an ASA with 5 interfaces. I imagine a trunk port on the switch, and trunking on the ASA but the docs I found so far have confused me more than helped me. That still causes me a problem for different vlans that need to be in the same domain though.
2) Use 1 vlan, one subnet, but use port security to dictate which ip can communicate with which ip and on which port. That solves the firewall's problems, but makes it more complex to manage the switch, and the switches I'm used to working with (29XX series) mostly do not have this feature. I would need help on which models would work best in this scenario, since performance on the switch side will be needed more than scenario 1
3) Though I read this isn't a good idea, a switch split by vlans, but on one subnet, and DCs and the firewall in all the vlans. I know a vlan splits the broadcast domain, thus making it impossible to ping, or cummunicate without routing, but this is sort of the purpose needed, but I have no idea if domain members need to speak to each other for any reason, if we do not wish them to be able to.
Any other suggestions are welcome!