Solved

firewall or core switch default gateway

Posted on 2014-03-11
6
1,563 Views
Last Modified: 2014-03-27
I have several servers connected to my access switches. Those servers are remotely managed by a 3rd vendor. They are in vlan100 with its own subnet 10.10.100.0. Now the third vendor needs to configure with those servers with a gateway. The servers do not need to be accessed by anybody within the internal LAN.
Should I setup a SVI in the core for that vlan100 or should I give the firewall internal interface as the gateway for the servers?
If I give a SVI on my L3 core switch, then anybody can access them (unless I use access list). What are your thoughts? Thanks
0
Comment
Question by:leblanc
  • 3
  • 2
6 Comments
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 333 total points
ID: 39922508
from design perspective, this should be on a DMZ.

place all the servers access by third-party into a DMZ interface of the firewall. the default gateway is on the firewall dmz-interface. this segregates traffic incoming from third, and prevents/limits access only to the DMZ subnet. Also, placing the servers in a DMZ, you can managed the following:

1. who can access externally
2. who can access internally
3. (often forgotten/neglected) which internal the DMZ servers can access, if required.

here are a few articles regarding purpose/reason of creating a DMZ

http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

http://community.spiceworks.com/topic/314950-who-is-still-using-a-dmz-why

http://www.securityfocus.com/archive/134/437599/30/300/threaded
0
 
LVL 1

Author Comment

by:leblanc
ID: 39922529
I just learned that those servers are actually surveillance camera and they are all over the building. Let say that put them in the dmz is not an option.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39922550
can you share why putting them in a DMZ is not an option?

with my current company, we have our CCTV, badge security on a DMZ segment of the network as they are accessed and managed by third-party vendor.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 17

Assisted Solution

by:pergr
pergr earned 167 total points
ID: 39922819
Generally, a DMZ is a good idea. However, let's take a step back.

You already have them in a VLAN, without default gateway, so generally I believe no one else have access to them - which is what you want with the DMZ.

Now, you do not actually need to configure any default gateway - and I assume the reason was to give the 3rd party remote access.

What you can do instead is to put an interface of the FIREWALL on VLAN 100, and for example give it address 10.10.100.100. Next you configure, at least, SOURCE NAT for access to that VLAN - which means that when the 3rd party access the cameras remotely they will appear to come from 10.10.100.100. Since that IP is within the subnet there is no need for any default gateway.

In addition, the remote access will need either DESTINATION NAT or an IPSEC tunnel. The DESTINATION NAT means the 3rd part hit the public IP of your firewall, and you do NAT to each camera (with a different port for each camera), or you use an IP SEC tunnel to which the 3rd party route the whole 10.10.100.100 subnet and access devices directly. Most likely the IPSEC tunnel is what you plan.

The combanation of IPSEC tunnel and SOURCE NAT will mean that when the third party connects from, for example, soource IP 192.168.123.x when the packet hits VLAN 100 the source IP will have changed to 10.10.100.100, so the camera can respond directly to that address without a default gateway.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39923415
The devices need to have a default gateway in it. So just keep things simple and for my understanding, is it better to have a default route to the core or to the firewall? Thx

PS. I can always do the DMZ design. But I have to get back to the security group and it will take another 2 to 3 weeks (politics! you know what I mean)
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 333 total points
ID: 39924339
if your subnet is part of internal network, then best place to put it is on the core, as by design firewalls should not be doing routing services and should primarily focus of access controls. also, this prevents unnecessary traffic going to the firewall only to reach back to internal LAN.

if security considerations are of high importance, you can do either ACL on the core, or move to a DMZ design as business dictates

hope this helps
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Comware OS Simulator and GNS3 5 168
Setup small office network 1 56
Network over eigrp 100 topology ? 3 53
PoE Injector and switch 2 10
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question