Switch in front of firewall

I have a rack at a data centre which currently has an ISP RJ45 Internet feed to it straight into the external port of the firewall I am using with approx. 12 public IPs available. I have approx. 5 un-used public IPs I want to use on another web facing server in the same rack, this HAS TO be separate from the first firewall and kit for contractual reasons, so the only way I can think of doing this is putting a racked switch in front of the current firewall and then taking a patch cable from that switch to the existing firewalls ext port and then to another firewalls ext port with the new kit behind it, that way I can use the un-used public IPs for kit behind the second firewall.

Has anyone any experience on this? I know some might say everything should be behind the firewall but others I read online say this is fine. Should it be a non-managed switch for security of just a normal managed 24 port rack gigabit switch that can be managed remotely and locked down somewhat?

Any constructive input would be appreciated.
Who is Participating?
tycootConnect With a Mentor Commented:
An unmanaged switch is more than fine for this solution. However you said it best a managed 24 port switch locked down or vlanned off would be the most secure way.

The question really bounces back to you, what do you want to manage? Again either solution works fine.
tsaicoConnect With a Mentor Commented:
I have done this when there were multiple tenants sharing a single internet feed with multiple WAN IPs.  I put a basic un-manged gig switch behind the Cisco that Telepacific (the ISP) installed for the bonded T1's, but before the three firewalls on each of the tenant's networks.  Each tenant used their own single WAN IP, and were segregated at the firewalls.  While the ISP did have routes between them, the firewalls were not configured to trust any other IPs as they were all separate companies that were "renting" the lines from the landlord.  (the landlord is my client, who in turn pimps me to his tenants)

I originally wanted to merge them into a single firewall, with different vlans, to make my life easier, but the separate owners couldn't get their heads wrapped around the concept and wouldn't agree to it.  In the end, I just re-did their networks to reflect different subnets, so that eventually we could grow into a single physical network, but separate logical ones, but I doubt that day will come.
exact1Author Commented:
Hi, thanks.

I was thinking managed VLAN with fixed IP, just so I can ping it as part of my monitoring remote software for uptime / alerts etc. Then I though maybe the most secure way would be a non-managed switch that has no access, so just rely on hardware not failing.

As you say I guess its down to me, I just have not see it before and wondered if it was the norm.

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

exact1Author Commented:

thanks as well, yes I can see what you did there, I could also use an optional port on the first firewall and flow that to another internal switch / server but can not touch the first firewall.

are there any switches "designed" just for this? or just off the shelf decision between managed or un-managed?
There isn't any switches to my knowledge designed specifically for this. Your easiest and quickest option is just installing the unmanaged switch.

I can't stress to you enough right now it's up to you :) - I couldn't critique your choice unless this was going into a very sensitive environment...at which route vlanvlanvlan. Cheers!
I agree with tycoot, it is really heavily based on admin preference and environment, and there are not specific switches for this purpose.  Though, as a side note, I always did not like doing the physical firewall behind a physical firewall.  Double NATing and having to write the extra rules in both devices can give you headaches down the road after you have forgotten to document how it was set up or why you used that particular logic.

If you have only yourself to report to, then I would use the optional port and create the VLANs/subnet myself, just because I don't like to hang extra hardware if I do not need it and it is easier to administer.  In my case I just had non-technical people who I report to, and the only way I could get it across they are not connected was to use separate physical firewalls so they could visualize it.
exact1Author Commented:
cheers guys, I will go with an un-managed switch in front of the firewalls.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.