[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

firewall or core switch default gateway

Posted on 2014-03-11
6
Medium Priority
?
1,775 Views
Last Modified: 2014-03-27
I have several servers connected to my access switches. Those servers are remotely managed by a 3rd vendor. They are in vlan100 with its own subnet 10.10.100.0. Now the third vendor needs to configure with those servers with a gateway. The servers do not need to be accessed by anybody within the internal LAN.
Should I setup a SVI in the core for that vlan100 or should I give the firewall internal interface as the gateway for the servers?
If I give a SVI on my L3 core switch, then anybody can access them (unless I use access list). What are your thoughts? Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 1332 total points
ID: 39922508
from design perspective, this should be on a DMZ.

place all the servers access by third-party into a DMZ interface of the firewall. the default gateway is on the firewall dmz-interface. this segregates traffic incoming from third, and prevents/limits access only to the DMZ subnet. Also, placing the servers in a DMZ, you can managed the following:

1. who can access externally
2. who can access internally
3. (often forgotten/neglected) which internal the DMZ servers can access, if required.

here are a few articles regarding purpose/reason of creating a DMZ

http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

http://community.spiceworks.com/topic/314950-who-is-still-using-a-dmz-why

http://www.securityfocus.com/archive/134/437599/30/300/threaded
0
 
LVL 1

Author Comment

by:leblanc
ID: 39922529
I just learned that those servers are actually surveillance camera and they are all over the building. Let say that put them in the dmz is not an option.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39922550
can you share why putting them in a DMZ is not an option?

with my current company, we have our CCTV, badge security on a DMZ segment of the network as they are accessed and managed by third-party vendor.
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 17

Assisted Solution

by:pergr
pergr earned 668 total points
ID: 39922819
Generally, a DMZ is a good idea. However, let's take a step back.

You already have them in a VLAN, without default gateway, so generally I believe no one else have access to them - which is what you want with the DMZ.

Now, you do not actually need to configure any default gateway - and I assume the reason was to give the 3rd party remote access.

What you can do instead is to put an interface of the FIREWALL on VLAN 100, and for example give it address 10.10.100.100. Next you configure, at least, SOURCE NAT for access to that VLAN - which means that when the 3rd party access the cameras remotely they will appear to come from 10.10.100.100. Since that IP is within the subnet there is no need for any default gateway.

In addition, the remote access will need either DESTINATION NAT or an IPSEC tunnel. The DESTINATION NAT means the 3rd part hit the public IP of your firewall, and you do NAT to each camera (with a different port for each camera), or you use an IP SEC tunnel to which the 3rd party route the whole 10.10.100.100 subnet and access devices directly. Most likely the IPSEC tunnel is what you plan.

The combanation of IPSEC tunnel and SOURCE NAT will mean that when the third party connects from, for example, soource IP 192.168.123.x when the packet hits VLAN 100 the source IP will have changed to 10.10.100.100, so the camera can respond directly to that address without a default gateway.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39923415
The devices need to have a default gateway in it. So just keep things simple and for my understanding, is it better to have a default route to the core or to the firewall? Thx

PS. I can always do the DMZ design. But I have to get back to the security group and it will take another 2 to 3 weeks (politics! you know what I mean)
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 1332 total points
ID: 39924339
if your subnet is part of internal network, then best place to put it is on the core, as by design firewalls should not be doing routing services and should primarily focus of access controls. also, this prevents unnecessary traffic going to the firewall only to reach back to internal LAN.

if security considerations are of high importance, you can do either ACL on the core, or move to a DMZ design as business dictates

hope this helps
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question