Solved

firewall or core switch default gateway

Posted on 2014-03-11
6
1,416 Views
Last Modified: 2014-03-27
I have several servers connected to my access switches. Those servers are remotely managed by a 3rd vendor. They are in vlan100 with its own subnet 10.10.100.0. Now the third vendor needs to configure with those servers with a gateway. The servers do not need to be accessed by anybody within the internal LAN.
Should I setup a SVI in the core for that vlan100 or should I give the firewall internal interface as the gateway for the servers?
If I give a SVI on my L3 core switch, then anybody can access them (unless I use access list). What are your thoughts? Thanks
0
Comment
Question by:leblanc
  • 3
  • 2
6 Comments
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 333 total points
ID: 39922508
from design perspective, this should be on a DMZ.

place all the servers access by third-party into a DMZ interface of the firewall. the default gateway is on the firewall dmz-interface. this segregates traffic incoming from third, and prevents/limits access only to the DMZ subnet. Also, placing the servers in a DMZ, you can managed the following:

1. who can access externally
2. who can access internally
3. (often forgotten/neglected) which internal the DMZ servers can access, if required.

here are a few articles regarding purpose/reason of creating a DMZ

http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

http://community.spiceworks.com/topic/314950-who-is-still-using-a-dmz-why

http://www.securityfocus.com/archive/134/437599/30/300/threaded
0
 
LVL 1

Author Comment

by:leblanc
ID: 39922529
I just learned that those servers are actually surveillance camera and they are all over the building. Let say that put them in the dmz is not an option.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39922550
can you share why putting them in a DMZ is not an option?

with my current company, we have our CCTV, badge security on a DMZ segment of the network as they are accessed and managed by third-party vendor.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Assisted Solution

by:pergr
pergr earned 167 total points
ID: 39922819
Generally, a DMZ is a good idea. However, let's take a step back.

You already have them in a VLAN, without default gateway, so generally I believe no one else have access to them - which is what you want with the DMZ.

Now, you do not actually need to configure any default gateway - and I assume the reason was to give the 3rd party remote access.

What you can do instead is to put an interface of the FIREWALL on VLAN 100, and for example give it address 10.10.100.100. Next you configure, at least, SOURCE NAT for access to that VLAN - which means that when the 3rd party access the cameras remotely they will appear to come from 10.10.100.100. Since that IP is within the subnet there is no need for any default gateway.

In addition, the remote access will need either DESTINATION NAT or an IPSEC tunnel. The DESTINATION NAT means the 3rd part hit the public IP of your firewall, and you do NAT to each camera (with a different port for each camera), or you use an IP SEC tunnel to which the 3rd party route the whole 10.10.100.100 subnet and access devices directly. Most likely the IPSEC tunnel is what you plan.

The combanation of IPSEC tunnel and SOURCE NAT will mean that when the third party connects from, for example, soource IP 192.168.123.x when the packet hits VLAN 100 the source IP will have changed to 10.10.100.100, so the camera can respond directly to that address without a default gateway.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39923415
The devices need to have a default gateway in it. So just keep things simple and for my understanding, is it better to have a default route to the core or to the firewall? Thx

PS. I can always do the DMZ design. But I have to get back to the security group and it will take another 2 to 3 weeks (politics! you know what I mean)
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 333 total points
ID: 39924339
if your subnet is part of internal network, then best place to put it is on the core, as by design firewalls should not be doing routing services and should primarily focus of access controls. also, this prevents unnecessary traffic going to the firewall only to reach back to internal LAN.

if security considerations are of high importance, you can do either ACL on the core, or move to a DMZ design as business dictates

hope this helps
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now