I need to discuss a design proposal for a customer looking to deploy new firewalls in effort to support security both externally (Internet) and internally (between users and the data center). I’m hoping for help in support of (or punching holes in) the design.
Below is the proposal, where you see a pair of high-powered 10-Gig firewalls (Cisco ASA 2120s) in-between the campus core and Internet. (The diagram is simplified – in reality, every layer is redundant… the firewalls, Internet routers, etc., are all HA, there’s a DMZ, etc.) This project began as a solution to provide IPS support for internal/intra-DC traffic, but the proposed design/discussion is now positioning this same pair of firewalls as a barrier between the users and the DC/servers as well.
* Simplified, the customer is proposing that they could/should position these new firewalls as a default gateway for the user network. *
I need to get opinions on this – plusses/minuses. My initial thoughts/concerns:
• The core provides connection density, so everything would obviously still need to physically connect through them.
• This would require trunking user VLANs from the core to the ASA pair (correct?) for security policy, and then back through the core to the DC/servers.
o Are there throughput/switching concerns with this design?
o Concerns about oversubscription/packet buffering, etc., since all user traffic would be hitting the ASAs (through the core trunk)?
• Architectural/design concerns around single layer points of failure/compromise?
• Is it possible to build out an ASA to support bridged/L2 (“bump in the wire”) operation for certain VLANs, while providing routed operation for other subnets over the same physical connection/interface?
Thank you – hoping for design input, and always welcome references to documentation. I’m not afraid to read.