firewall or core switch default gateway

I have several servers connected to my access switches. Those servers are remotely managed by a 3rd vendor. They are in vlan100 with its own subnet 10.10.100.0. Now the third vendor needs to configure with those servers with a gateway. The servers do not need to be accessed by anybody within the internal LAN.
Should I setup a SVI in the core for that vlan100 or should I give the firewall internal interface as the gateway for the servers?
If I give a SVI on my L3 core switch, then anybody can access them (unless I use access list). What are your thoughts? Thanks
LVL 1
leblancAccountingAsked:
Who is Participating?
 
ffleismaConnect With a Mentor Senior Network EngineerCommented:
if your subnet is part of internal network, then best place to put it is on the core, as by design firewalls should not be doing routing services and should primarily focus of access controls. also, this prevents unnecessary traffic going to the firewall only to reach back to internal LAN.

if security considerations are of high importance, you can do either ACL on the core, or move to a DMZ design as business dictates

hope this helps
0
 
ffleismaConnect With a Mentor Senior Network EngineerCommented:
from design perspective, this should be on a DMZ.

place all the servers access by third-party into a DMZ interface of the firewall. the default gateway is on the firewall dmz-interface. this segregates traffic incoming from third, and prevents/limits access only to the DMZ subnet. Also, placing the servers in a DMZ, you can managed the following:

1. who can access externally
2. who can access internally
3. (often forgotten/neglected) which internal the DMZ servers can access, if required.

here are a few articles regarding purpose/reason of creating a DMZ

http://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network

http://community.spiceworks.com/topic/314950-who-is-still-using-a-dmz-why

http://www.securityfocus.com/archive/134/437599/30/300/threaded
0
 
leblancAccountingAuthor Commented:
I just learned that those servers are actually surveillance camera and they are all over the building. Let say that put them in the dmz is not an option.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
ffleismaSenior Network EngineerCommented:
can you share why putting them in a DMZ is not an option?

with my current company, we have our CCTV, badge security on a DMZ segment of the network as they are accessed and managed by third-party vendor.
0
 
pergrConnect With a Mentor Commented:
Generally, a DMZ is a good idea. However, let's take a step back.

You already have them in a VLAN, without default gateway, so generally I believe no one else have access to them - which is what you want with the DMZ.

Now, you do not actually need to configure any default gateway - and I assume the reason was to give the 3rd party remote access.

What you can do instead is to put an interface of the FIREWALL on VLAN 100, and for example give it address 10.10.100.100. Next you configure, at least, SOURCE NAT for access to that VLAN - which means that when the 3rd party access the cameras remotely they will appear to come from 10.10.100.100. Since that IP is within the subnet there is no need for any default gateway.

In addition, the remote access will need either DESTINATION NAT or an IPSEC tunnel. The DESTINATION NAT means the 3rd part hit the public IP of your firewall, and you do NAT to each camera (with a different port for each camera), or you use an IP SEC tunnel to which the 3rd party route the whole 10.10.100.100 subnet and access devices directly. Most likely the IPSEC tunnel is what you plan.

The combanation of IPSEC tunnel and SOURCE NAT will mean that when the third party connects from, for example, soource IP 192.168.123.x when the packet hits VLAN 100 the source IP will have changed to 10.10.100.100, so the camera can respond directly to that address without a default gateway.
0
 
leblancAccountingAuthor Commented:
The devices need to have a default gateway in it. So just keep things simple and for my understanding, is it better to have a default route to the core or to the firewall? Thx

PS. I can always do the DMZ design. But I have to get back to the security group and it will take another 2 to 3 weeks (politics! you know what I mean)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.