?
Solved

How to best secure a network with many servers you do not control completely, VLAN or firewall on switch?

Posted on 2008-11-05
14
Medium Priority
?
241 Views
Last Modified: 2008-11-06
Hello all, We are planning to host servers for our clients and employees, mostly as a favor and not as a core business, and we are in planning of the network part of the infrastructure.

Basically, we would like to use a firewall (cisco ASA 5510) and switches, but don't want to have 1 firewall per server. Also, the setup gets more complex because some servers need to be in a domain, but we would like to secure them so that they can speak with the domain, but not see other domain members (ip wise) but as the servers themselves have users that can manage them completely, a software firewall is out of the question.

So I have two likely scenarios, and one spinoff that's a mix and match of both, and I would love your input as to which products would work well, and how to configure this so it's secure, efficient, and if possible, manageable without taking too long to set up a new server ;-)

1) Use different VLANs for each "client" network, with the firewall acting as a router to route vlans. I am a bit unfamiliar with a setup with the many vlans that would need to be created (upwards of 20 eventually) and how that would work on an ASA with 5 interfaces. I imagine a trunk port on the switch, and trunking on the ASA but the docs I found so far have confused me more than helped me. That still causes me a problem for different vlans that need to be in the same domain though.

2) Use 1 vlan, one subnet, but use port security to dictate which ip can communicate with which ip and on which port. That solves the firewall's problems, but makes it more complex to manage the switch, and the switches I'm used to working with (29XX series) mostly do not have this feature. I would need help on which models would work best in this scenario, since performance on the switch side will be needed more than scenario 1

3) Though I read this isn't a good idea, a switch split by vlans, but on one subnet, and DCs and the firewall in all the vlans. I know a vlan splits the broadcast domain, thus making it impossible to ping, or cummunicate without routing, but this is sort of the purpose needed, but I have no idea if domain members need to speak to each other for any reason, if we do not wish them to be able to.

Any other suggestions are welcome!

0
Comment
Question by:devnull22
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 23

Expert Comment

by:that1guy15
ID: 22889156
My suggestion would be to segrigate the networks with VLANs like you mentioned in your first idea. you will not be able to do this with the asa and will need a switch to setup vlans. If you do not want the vlans to talk to each other and be completly seperated then you will only need a layer 2 switch. My suggestion would be a 2600 series Cisco switch or an HP procurve (little less expensive).

On the switch you will separate the connected devices into vlans and then connect the switch to your ASA. The asa can handle all the routing and you can configure centralized security on it.
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 22889160
Sorry i meant 2960 series cisco switch
0
 
LVL 1

Author Comment

by:devnull22
ID: 22889461
I agree that the ASA will not be able to do the VLAN itself, my concern was mostly on how to configure the ASA once the switch has, say... 20 VLANS.

My license is as shows:

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 250
WebVPN Peers                 : 2
Advanced Endpoint Assessment : Disabled

This platform has an ASA 5510 Security Plus license.


I just am not sure how to proceed to configure the ASA to route through the 20 or so VLAN I might end up having in scenario 1. =)  That still leaves me with figuring out how to stop "some" servers from seeing each other, but seeing the domain (custom app, needs domain, multiple client using the app in the same domain, which is not something we have control over due to licensing of the app) Separate vlans here to stop the servers from seeing each other is problematic, and software firewalls is an issue cuz it could be disabled by the users on the server/station which need admin access on their stations.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Assisted Solution

by:jcs5003
jcs5003 earned 375 total points
ID: 22889724
I'm in a similar situation and have been thinking about various solutions. My situation is slightly different as I have an Executive center where each tenant shares the internet connection with every other tenant, so I don't have the domain server communication limitation.

My suggestions are,
1.) VLAN - you can use something as inexpensive as a Cisco 2900XL (found on ebay for $100 or less). Setup a VLAN for each domain and include the clients for each server in that vlan. Add the interface of the ASA to it's own VLAN and make that a multi-vlan. add the ASA VLAN to each individual VLAN that needs internet access respectively.
In this fashion, you can put them all on the same subnet or not.. it doesn't matter, as long as the ASA and the servers / clients can communicate on their assigned IP scheme. If you need more ports than the switch you are using supports you can setup a VTP domain and span the VLAN to addition switches, this makes it rather scalable.

2.)Subneting - Put everyone in a flat struction ( 1 VLAN )
Assign Production network 172.16.0.0  255.255.255.0
Employee Network 172.17.0.0 255.255.255.0
Client A Network  172.18.0.0 255.255.255.0
Client B Network 172.19.0.0. 255.255.255.0

The Caviot in this configuration is that you will need to assign IP addresses for each network to the ASA for internet access and a DHCP server will be rather useless unless you do reservations or some other MAC based IP assignment, as the server wont know which client to assign what IP range to.


As far as stopping one server from seeing another, if you VLAN them they will not see eachother, if you subnet them, they will not see each other as long as you dont add routes between the subnets.

If you can post a little more detail as to how many servers and clients you will need and what their connection requirements are , I may be able to offer some more advice.
0
 
LVL 15

Assisted Solution

by:bkepford
bkepford earned 375 total points
ID: 22889927
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 22890576
Generally you should be fine sending 20 vlans through your ASA, but if you have a large amount of traffic on each vlan then you might overload the interface.

"Separate vlans here to stop the servers from seeing each other is problematic"
The ASA will be able to route traffic between vlans if you want specific vlans to communicate with each other.

0
 
LVL 2

Expert Comment

by:jcs5003
ID: 22890754
If you used a protected port, you would have to route at Layer 3 any data you want between it and any other protected port. Enabling protection on a port restricts it from sending and data at all at Layer2 levels. I could see this becoming anoying and difficult to maintain.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22890948
protected ports is exactly what he is looking for.
Your client PC can not see smell or touch the other networks but you don't protect the DOMAIN controller all clients can see the DC but not eachother.
It is one command per switch port (How is that hard?)
Configuring 20 different VLANS is much harder to maintain.
Just to be clear this is eactly how Hosting companies do their networks(except they have fancier setups with private vlans sometimes and promiscous ports)
 
0
 
LVL 2

Expert Comment

by:jcs5003
ID: 22891005
Reread the statement
If you used a protected port, you would have to route at Layer 3 any data you want between it and any other protected port.
Span that across a few switches, combine with routes for "special" reasons (which would require additional hardware)

Quote
"Just to be clear this is eactly how Hosting companies do their networks(except they have fancier setups with private vlans sometimes and promiscous ports"
/Quote

Except they do it with VLANS... thats what im talking about doing
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22891228
Thats fine he can use VLANs if he doesn't want to use protected ports. I'm telling you it is industry standard that is all I'm saying. This requires a managed switch the poster may not have one. But this is such a common solution that it is supported by most vendors.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22891242
PS the point of using protected ports is that one port on the same subnet needs to see common ports but not other hosts. So their is no reason to route between them because that would defeat the whole point which is that they don't talk.
 
0
 
LVL 1

Author Comment

by:devnull22
ID: 22891406
I might end up using a mix of VLANs and protected ports, but am unsure the models of switches we are using so far will suffice as we had smaller needs up till now.

From which models can I expect protected ports to work, as I cannot compromise features for switching performance?

Another point I failed to mention (as I got briefed more thoroughly after posting) is that we also might end up using ESX 3.5 and protected ports alone won't be able to work since it shares one network card, but can use 802.11q to tag packets with VLANs. So my setup just got a bit more complex...

As for my initial question, how would one go with configuring the ASA with using many vlans, as I am used to use the physical interfaces, but not using vlans...

Secondly, has anyone used the same subnet with many vlans, even if not recommended, it could amount to the same as protected ports, but would work with ESX.
0
 
LVL 23

Accepted Solution

by:
that1guy15 earned 750 total points
ID: 22896194
With the esx server it will work the same way. You will set the vmnic on the ESX server and the port it connects to on the ASA to trunk ports and enable tagging. Then on your ESX server you will add tags to each VM port group to seperate them. That is how you allow multiple VLANS through one vmnic.

I had this question about 3 weeks ago when i was establishing multiple VLANS on my ESX. Here is my post for you to reference.
http://www.experts-exchange.com/Software/VMWare/Q_23779088.html


As for subnetting your VLANS, i recommend using different subnets just because when you are dealing with many VLANS it starts getting a little confusing. Label both your VLANS and subnets similar so you know by one or the other which is which. For example VLAN 100 will be subnet 10.0.100.0 and VLAN 200 will be 10.0.200.0.

Make sense?
0
 
LVL 1

Author Comment

by:devnull22
ID: 22896666
Thank you all for your help and comments, I am gonna pursue the VLAN option, as dealing with ESX leaves me little choice. I will investigate all options suggested for the rest though, as protected ports sound good for other setups we will eventually have to use.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
#Citrix #Netscaler #MSSQL #Load Balance
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month15 days, 20 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question