Solved

Should I connect my back up connection through my firewall(fortigate) or directly to my switch

Posted on 2011-02-24
9
463 Views
Last Modified: 2012-08-13
I now have a back up connection with a provider that is not using any public IP's on their network.  They have installed a router at my host location where my Core is located
 I am weighing the pros and cons of going through the Firewall( managed by security) or connect directly to our core switch( i manage).  

The WAN ip is 172.30 and LAN ip is 10.10 which is going to connect to my switch.  We will be running OSPF area 48591 for 172. and 4589 for the 10. network

I dont see a reason to go through the firewall since there are no public IP's, and just connect to my switch and NAT .....any thoughts, would be appreciated.....thank you


 
0
Comment
Question by:mlc1971
  • 5
  • 4
9 Comments
 

Author Comment

by:mlc1971
ID: 34973698
hello and likewise
0
 
LVL 5

Expert Comment

by:torvir
ID: 34974003
Do you trust that your service provider protects you as good as your own fortigate does?
I don't think you have all the information from the service provider to really see whats going on in their network.
They probably deliver a service that is as transparent and open as it can be.
So I think that your firewall protects you even if I don't know your configuration.
And if you use outgoing protection. URL-filters, IPS, Antivirus, Antispam. Then it's no question that the fw should be there.

One thing you want to protect you network from is if an internal pc has a virus/worm/trojan that wants to connect to the outside.
It might do that on certain ports or to specific url:s to get inversions of itself or instructions what to do.
An outgoing URL-filter or IPS can protect you in these cases.
Even if you don't have outgoing protection today, you might want to turn that on in a few minutes when rumors of a new trojan starts to spread.
Just one example of why I think you should have a firewall there.
0
 

Author Comment

by:mlc1971
ID: 34978825
thanks torvir..I see your point and do agree.. I was thinking since its a private network and that in order for those users to get to the internet they would ultimately have to go through my firewall.  You are saying becuase I can't/don't see whats on their private network that my remote users could be affected on the Back-up private network, and there would be know way of knowing until its too late...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Expert Comment

by:torvir
ID: 34979386
Yes, thats right. Depending on the solution at the service provider there could be this worst-case-scenario where more customers resides on the same side of the NAT-device that you are, and they could therefore have full access to your private network that the provider gave you.
Don't take for granted that they will protect you if they don't explicity say that.
Just for fun you could try the free netscanner at http://www.softperfect.com/ to see if you can reach private networks that are in ranges nearby yours.
0
 

Author Comment

by:mlc1971
ID: 34980558
I am not too familiar with the Firewalls, and if we go through the firewall, will the NAT'ng be peformed on the Firewall or on my switch (Cisco6509)?  It doesnt seem like there is much configuring I have to do on my switch(OSPF,ACL);  mostly on the Firewall that is managed by security....The provider has indicated they are not NAT''ng, .........torvir you have been very helpful and informative
0
 
LVL 5

Expert Comment

by:torvir
ID: 34981725
The NATing should be done by the firewall if there should be NATing.
I'm beginning to think that I have misunderstood what the backup connection should do.
As you were talking about firewalls I thought that it was a backup Internet connection.
But I may be wrong. Is it an internal backup connection between two sites?
0
 

Author Comment

by:mlc1971
ID: 34982486
Its a private back up for our 47 remote sites coming back to our HQ..............I have a primary with AT&T and  I have New Edge providing my back up on their private network.  I am connecting to their router at the field offieces with the FE ports on both our routers with a weighted IP route...   They have a router at HQ and I am going to connect to either the Firewall or directly to my core switch...I am sorry if I confused you or was not concise
0
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 34983434
Ok, now I see.
These backup lines are normally concidered part of your internal network and you don't normally use fw there.
It's also easier without fw as you run dynamic routing protocols.
There are solutions where you want to protect the datacenter from internal attacks caused by virus outbreaks and such.
Even more common nowadays is to protect database clusters so that only the necessary traffic reaches them.
But if you don't have fw between HQ and AT&T you shouldn't need to concider that on the backup lines.
Sorry if I led you through a longer route than necessary.
0
 

Author Comment

by:mlc1971
ID: 34986876
thanks again torvir for all our help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question