• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1824
  • Last Modified:

firewall or core switch default gateway

I have several servers connected to my access switches. Those servers are remotely managed by a 3rd vendor. They are in vlan100 with its own subnet 10.10.100.0. Now the third vendor needs to configure with those servers with a gateway. The servers do not need to be accessed by anybody within the internal LAN.
Should I setup a SVI in the core for that vlan100 or should I give the firewall internal interface as the gateway for the servers?
If I give a SVI on my L3 core switch, then anybody can access them (unless I use access list). What are your thoughts? Thanks
0
leblanc
Asked:
leblanc
  • 3
  • 2
3 Solutions
 
ffleismaCommented:
from design perspective, this should be on a DMZ.

place all the servers access by third-party into a DMZ interface of the firewall. the default gateway is on the firewall dmz-interface. this segregates traffic incoming from third, and prevents/limits access only to the DMZ subnet. Also, placing the servers in a DMZ, you can managed the following:

1. who can access externally
2. who can access internally
3. (often forgotten/neglected) which internal the DMZ servers can access, if required.

here are a few articles regarding purpose/reason of creating a DMZ

http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

http://community.spiceworks.com/topic/314950-who-is-still-using-a-dmz-why

http://www.securityfocus.com/archive/134/437599/30/300/threaded
0
 
leblancAccountingAuthor Commented:
I just learned that those servers are actually surveillance camera and they are all over the building. Let say that put them in the dmz is not an option.
0
 
ffleismaCommented:
can you share why putting them in a DMZ is not an option?

with my current company, we have our CCTV, badge security on a DMZ segment of the network as they are accessed and managed by third-party vendor.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
pergrCommented:
Generally, a DMZ is a good idea. However, let's take a step back.

You already have them in a VLAN, without default gateway, so generally I believe no one else have access to them - which is what you want with the DMZ.

Now, you do not actually need to configure any default gateway - and I assume the reason was to give the 3rd party remote access.

What you can do instead is to put an interface of the FIREWALL on VLAN 100, and for example give it address 10.10.100.100. Next you configure, at least, SOURCE NAT for access to that VLAN - which means that when the 3rd party access the cameras remotely they will appear to come from 10.10.100.100. Since that IP is within the subnet there is no need for any default gateway.

In addition, the remote access will need either DESTINATION NAT or an IPSEC tunnel. The DESTINATION NAT means the 3rd part hit the public IP of your firewall, and you do NAT to each camera (with a different port for each camera), or you use an IP SEC tunnel to which the 3rd party route the whole 10.10.100.100 subnet and access devices directly. Most likely the IPSEC tunnel is what you plan.

The combanation of IPSEC tunnel and SOURCE NAT will mean that when the third party connects from, for example, soource IP 192.168.123.x when the packet hits VLAN 100 the source IP will have changed to 10.10.100.100, so the camera can respond directly to that address without a default gateway.
0
 
leblancAccountingAuthor Commented:
The devices need to have a default gateway in it. So just keep things simple and for my understanding, is it better to have a default route to the core or to the firewall? Thx

PS. I can always do the DMZ design. But I have to get back to the security group and it will take another 2 to 3 weeks (politics! you know what I mean)
0
 
ffleismaCommented:
if your subnet is part of internal network, then best place to put it is on the core, as by design firewalls should not be doing routing services and should primarily focus of access controls. also, this prevents unnecessary traffic going to the firewall only to reach back to internal LAN.

if security considerations are of high importance, you can do either ACL on the core, or move to a DMZ design as business dictates

hope this helps
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now