asad ali
asked on
How to bypass server-to-server communication from NGFW?
I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-
• east-west traffic inside server farm for stopping malware lateral movement
• user (access layer) to server farm for policy control e.g AV, IPS etc
Constraints / Concerns:
-
• Currently there is no l4 policy control or firewall in place , network topology is flat.
• don't want to buy layer 3 switch for inter-vlan routing
• internet traffic is managed by another segment not to be passed through proposed ngfw.
Concerns from vendor integrator perspective
• between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
• Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
• terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)
I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
• east-west traffic inside server farm for stopping malware lateral movement
• user (access layer) to server farm for policy control e.g AV, IPS etc
Constraints / Concerns:
-
• Currently there is no l4 policy control or firewall in place , network topology is flat.
• don't want to buy layer 3 switch for inter-vlan routing
• internet traffic is managed by another segment not to be passed through proposed ngfw.
Concerns from vendor integrator perspective
• between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
• Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
• terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)
I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Question answered as stated... double VPN, etc.