I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-
• east-west traffic inside server farm for stopping malware lateral movement
• user (access layer) to server farm for policy control e.g AV, IPS etc
Constraints / Concerns:
• Currently there is no l4 policy control or firewall in place , network topology is flat.
• don't want to buy layer 3 switch for inter-vlan routing
• internet traffic is managed by another segment not to be passed through proposed ngfw.
Concerns from vendor integrator perspective
• between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
• Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
• terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)
I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.