• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1404
  • Last Modified:

Sonicwall NSA Firewall Placement

I'm new to the firewall placement scene and I had a few questions regarding physical network placement.

We need to place a Sonicwall NSA 3500 appliance (gateway av, network av, content filter, firewall, etc) in our network.
Where on the network is a firewall physically placed?  Does it go between the smart jacks and internet router or does it go after (behind) the internet router?  How can we make sure that an efficent and effect method is being utilized in connecting the LAN and WAN to the firewall?  Is there any method of placement that may cause a bottleneck or other issues?

Currently we have the following setup.  Sorry for the amature doodling.
INTERNET ========>INTERNET ROUTER (cisco 2600)========>4 SWITCHES --------------|
                                                                                                                                    ||                                  |
                                                                                                                                    ||                                  |
Branch 1========>WAN ROUTER (branch router)=======>OLD SONICWALL PRO3060      |
                                          ^    ^                                               |                                                                      |
         Branch 2 <=====||     ||=====> Branch 3                | -------VPN ROUTER-------------------------|
0
MightyMikey
Asked:
MightyMikey
  • 2
  • 2
2 Solutions
 
MaerosCommented:
You will want to place it at the "perimeter" (the external edge leading to the Internet).  Using your ASCII topology map (Visio takes too long to draw anyways), place it between the INTERNET and INTERNET ROUTER (cisco 2600) or between the INTERNET ROUTER (cisco 2600) and the 4 SWITCHES.  I'd recommend between the INTERNET and INTERNET ROUTER (cisco 2600)

The idea is to have it catch and block things before it has a chance to touch anything (even network hardware - routers and switches can be hacked).  Infact as far as topology goes if you keep the SonicWALL PRO3060 you can have a nice and quaint DMZ going between the two SonicWALLS, allowing you to have external-facing services (such as a web server) in the DMZ without jeopardizing your internal network.
0
 
MightyMikeyAuthor Commented:
The idea was to replace our current existing firewall since licensing is expiring for it soon, but come to think of it, we are going to launch a webserver soon too.  If we were to replace our current firewall by adding the new one before our internet router, would it still be secure to host websites and email?
0
 
MaerosCommented:
Best practice when it comes to web servers are to "sandwich" them between two firewalls, like so:

{ INTERNET }  ~~~~~~~ FIREWALL---------Web Server----------FIREWALL-------{Internal Network}

The space between the two firewalls is what is known as the DMZ, or the Demilitarized Zone.  In a nutshell, it is a buffer zone where external-facing services (ie. web) are more easily accessible to the Internet.  In terms of security, the DMZ will isolate the web server from the rest of the internal network so that if in the event the web server is ever compromised and/or taken over, the internal network still has protection and isn't completely exposed to further attack (this is due to the second firewall between the web server and the internal network).  Servers in the DMZ will commonly be set in their own subnet/zone, and if a server were to be compromised they still have to break through the second firewall to reach the internal network's subnet/zone.  Traffic inside the internal network will be free to frolic with significantly reduced risk of snooping, poisoning, or general cracking/hacking.
0
 
MightyMikeyAuthor Commented:
Thanks again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now