Solved

Should I connect my back up connection through my firewall(fortigate) or directly to my switch

Posted on 2011-02-24
9
455 Views
Last Modified: 2012-08-13
I now have a back up connection with a provider that is not using any public IP's on their network.  They have installed a router at my host location where my Core is located
 I am weighing the pros and cons of going through the Firewall( managed by security) or connect directly to our core switch( i manage).  

The WAN ip is 172.30 and LAN ip is 10.10 which is going to connect to my switch.  We will be running OSPF area 48591 for 172. and 4589 for the 10. network

I dont see a reason to go through the firewall since there are no public IP's, and just connect to my switch and NAT .....any thoughts, would be appreciated.....thank you


 
0
Comment
Question by:mlc1971
  • 5
  • 4
9 Comments
 

Author Comment

by:mlc1971
Comment Utility
hello and likewise
0
 
LVL 5

Expert Comment

by:torvir
Comment Utility
Do you trust that your service provider protects you as good as your own fortigate does?
I don't think you have all the information from the service provider to really see whats going on in their network.
They probably deliver a service that is as transparent and open as it can be.
So I think that your firewall protects you even if I don't know your configuration.
And if you use outgoing protection. URL-filters, IPS, Antivirus, Antispam. Then it's no question that the fw should be there.

One thing you want to protect you network from is if an internal pc has a virus/worm/trojan that wants to connect to the outside.
It might do that on certain ports or to specific url:s to get inversions of itself or instructions what to do.
An outgoing URL-filter or IPS can protect you in these cases.
Even if you don't have outgoing protection today, you might want to turn that on in a few minutes when rumors of a new trojan starts to spread.
Just one example of why I think you should have a firewall there.
0
 

Author Comment

by:mlc1971
Comment Utility
thanks torvir..I see your point and do agree.. I was thinking since its a private network and that in order for those users to get to the internet they would ultimately have to go through my firewall.  You are saying becuase I can't/don't see whats on their private network that my remote users could be affected on the Back-up private network, and there would be know way of knowing until its too late...
0
 
LVL 5

Expert Comment

by:torvir
Comment Utility
Yes, thats right. Depending on the solution at the service provider there could be this worst-case-scenario where more customers resides on the same side of the NAT-device that you are, and they could therefore have full access to your private network that the provider gave you.
Don't take for granted that they will protect you if they don't explicity say that.
Just for fun you could try the free netscanner at http://www.softperfect.com/ to see if you can reach private networks that are in ranges nearby yours.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mlc1971
Comment Utility
I am not too familiar with the Firewalls, and if we go through the firewall, will the NAT'ng be peformed on the Firewall or on my switch (Cisco6509)?  It doesnt seem like there is much configuring I have to do on my switch(OSPF,ACL);  mostly on the Firewall that is managed by security....The provider has indicated they are not NAT''ng, .........torvir you have been very helpful and informative
0
 
LVL 5

Expert Comment

by:torvir
Comment Utility
The NATing should be done by the firewall if there should be NATing.
I'm beginning to think that I have misunderstood what the backup connection should do.
As you were talking about firewalls I thought that it was a backup Internet connection.
But I may be wrong. Is it an internal backup connection between two sites?
0
 

Author Comment

by:mlc1971
Comment Utility
Its a private back up for our 47 remote sites coming back to our HQ..............I have a primary with AT&T and  I have New Edge providing my back up on their private network.  I am connecting to their router at the field offieces with the FE ports on both our routers with a weighted IP route...   They have a router at HQ and I am going to connect to either the Firewall or directly to my core switch...I am sorry if I confused you or was not concise
0
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
Comment Utility
Ok, now I see.
These backup lines are normally concidered part of your internal network and you don't normally use fw there.
It's also easier without fw as you run dynamic routing protocols.
There are solutions where you want to protect the datacenter from internal attacks caused by virus outbreaks and such.
Even more common nowadays is to protect database clusters so that only the necessary traffic reaches them.
But if you don't have fw between HQ and AT&T you shouldn't need to concider that on the backup lines.
Sorry if I led you through a longer route than necessary.
0
 

Author Comment

by:mlc1971
Comment Utility
thanks again torvir for all our help
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now