Firewall/network design questions/input

I need to discuss a design proposal for a customer looking to deploy new firewalls in effort to support security both externally (Internet) and internally (between users and the data center). I’m hoping for help in support of (or punching holes in) the design.

Below is the proposal, where you see a pair of high-powered 10-Gig firewalls (Cisco ASA 2120s) in-between the campus core and Internet. (The diagram is simplified – in reality, every layer is redundant… the firewalls, Internet routers, etc., are all HA, there’s a DMZ, etc.)  This project began as a solution to provide IPS support for internal/intra-DC traffic, but the proposed design/discussion is now positioning this same pair of firewalls as a barrier between the users and the DC/servers as well.  

* Simplified, the customer is proposing that they could/should position these new firewalls as a default gateway for the user network. *

I need to get opinions on this – plusses/minuses. My initial thoughts/concerns:

•      The core provides connection density, so everything would obviously still need to physically connect through them.
•      This would require trunking user VLANs from the core to the ASA pair (correct?) for security policy, and then back through the core to the DC/servers.
•      Physical/switching:
o      Are there throughput/switching concerns with this design?
o      Concerns about oversubscription/packet buffering, etc., since all user traffic would be hitting the ASAs (through the core trunk)?
•      Architectural/design concerns around single layer points of failure/compromise?
•      Is it possible to build out an ASA to support bridged/L2 (“bump in the wire”) operation for certain VLANs, while providing routed operation for other subnets over the same physical connection/interface?
•      …?

Thank you – hoping for design input, and always welcome references to documentation. I’m not afraid to read. 
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Problem 1. 2120 only has total throughput of 3 Gb
Problem 2. Firewalls should not be default gateway, that is left up to core layer3 switch or router for multitude of reasons.
cfan73Author Commented:

Thank you for the quick response. My diagram is actually incorrect, in that this customer wasn't needing 10-Gig support to/through the firewalls. (I was thinking of a different customer where we positioned 2130s.) This customer identified the need to support up to 500-Mbps, so the 2110 will be a fit on that level.

That said, their ask was initially to deploy this as a replacement to an inline IPS solution. They have since followed it up with the concept of using it to secure/segment user traffic from their servers, etc., essentially using it for most every traffic flow. Hence, their thought process in essentially making it the default gateway for the workstations.

So, I'm focused on your 2nd noted problem, and would love to be pointed towards as much information/ammunition against deploying firewalls as a default gateway.

Thanks again
Firewalls should be connected to the network through a p2p link / vlan from the core switch, not on the same network as user PC's. User networks are very "chatty" with arp, broadcasts, multicast, etc. The firewall does not need to deal with all that.
Also Cisco firewalls are not routers, and do not behave the same way. It would still be the defacto default gateway for the network, just not the PC lan.
Hope that will get you started.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

I don't know if ASA can act as both L2 and L3 firewall at the same time. My Palo Alto can. :-)

If there is really a concern about ASA seeing all broadcast traffic, Each VLAN could have a SVI on the core switches, but in a separate VRF. This way the switch sees all of the broadcasts and stuff, but only routed traffic makes it to the ASA. On the downside, the ASA wouldn't see L2 traffic that could be an indication of compromise, so it is a balancing act of how much traffic you want the ASA to handle. You would also need to decide how you want to do route distribution. I have a similar setup, but with multiple VLANs in a single VRF. This allows me to easily move VLANs around to different zones on the firewall by changing which VRF they were associated with. It is very flexible. I did it because I didn't want to try to send all traffic through the firewall, as I wanted to be able to get bursts of 10-20 Gbps that my switching fabric allowed. My firewalls are not that fast, so the firewall inspects all traffic from clients to servers, for example, but not all client to client inter-VLAN traffic, nor server to server inter-VLAN traffic. This also helps me to easily route around the firewall if I need to, for example when I need to upgrade or eventually replace it.

I do have some VLANs terminated directly on the firewall (mostly semi to generally untrusted traffic). It is nice to be able to take a port on an access switch, assign it to a L2 VLAN, and have the L3 interface be the firewall for that VLAN.
Pete LongTechnical ConsultantCommented:
The return of lrmoore? (lord be praised!)

>If there is really a concern about ASA seeing all broadcast traffic

Its not just that. it's bad design an I see it everywhere even in massive networks that are practically household names!

>I don't know if ASA can act as both L2 and L3 firewall at the same time. My Palo Alto can. :-)

I also like Palo Alto - Im assuming you mean application layer inspection, if so then yes.
No, I mean L2 mode called virtual wire, where the Palo Alto acts as a transparent bridge, and regular L3 mode where the firewall interface has an IP address and traffic is routed through it. Both modes allow application inspection and identification, IPS, etc.
Pete LongTechnical ConsultantCommented:
In that case then yes - in Cisco speak its a transparent firewall deployment, (or commonly called a 'bump in the wire') for us older techs :)
cfan73Author Commented:
All good input so far - thank you.

@Pete Long - the above two responses seemed focused on the broadcast traffic issue, but could you provide any additional info/ammo regarding your comment about this being a "bad design" (although unfortunately common) in general? Is that mostly because we're using a single FW layer vs having isolated pairs for different boundaries/segments of the network?

I'm not afraid to do the reading, so please link to reference docs, etc., as you see fit.

Thanks again

i'll second the voices above. you don't really want to have default gateway for the network going to the firewall.
regardless if its UTM or dedicated, the broadcasting has been highlighted, it will also eat away at the Processor and degrade concurrency.
you have got a 10gig device so i'm assuming its a fairly large organisation.
all desktop clients will probably be managed, can I assume its a Microsoft environment? why not manage access to servers via NPS so much more control and traffic not allowed will be stopped a lot sooner and wont put much over head on the network you could reduce the over head more by managing client side MS firewall. don't forget about V-ACLs/ACLs.
the diagram you have says all data go to the firewall your firewall will more than like be sending all the data back out the same port, your just adding LAG, Authentication issues, Domain registration issues, DB disconnects.. it doesn't matter how  fast a MMPS your device has it will eventually get in the way. another issue I have seen and experienced from Juniper, Cisco, SonicWALL is the device can just fall over and that will leave your network down till someone works out why.
Have your core L3 do the work of sending packets its designed to do that a lot faster then any of the devices.
Pete LongTechnical ConsultantCommented:
>> "bad design" (although unfortunately common) in general?

Yes, firewalls are designed to filter traffic thats it, they dont have CAM Tables etc, although they support both static and dynamic routing protocols, that's not why they were built, If you had 100 KM to commute to work you would not choose a bicycle to do it on, that does not mean theres anything wrong with a bicycle, it was just designed for something else.

Plus its easier and cheaper to build resiliancy into a network if the core routing is made redundant rather than then relying on firewall failover/clustering for LAN redundancy, and ultimately the more complicated your network becomes, having a simple /30 up to the firewall as a route out becomes really easy to design in, and if you want to put in another firewall somewhere else for a specific purpose (i.e. remote support , or a dedicated service, it's easy because all your traffic is not hamstrung by going to your existing firewall).

I sit in a lot of meetings with 'big firms' system architects, who say things like "Yes we accept that, but we want stateful inspection between all our VLANS/Internal networks, so we can enforce least privilege access". Thats Fine, but then you need to split out LAN firewalls and perimeter firewalls. So then when I point out that the 250 thousand I quoted for firewalls is now half a million. The descision to move the firewalls to the core (in reality) becomes a financial one, not a technical/good design one, because the client "thinks" that this meets his/her requirements. When what it really does is half the bill. Then I do as Im told, but leave my name of the design paperwork :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cfan73Author Commented:
Thanks for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.