Skip to main content

WAN Config Suggestions

More
18 years 6 months ago #14896 by drizzle
I have set up a Visio doc of a proposed WAN configuration. I was wondering if some of you security/network guru's could take a look at it and give me any suggestions. I haven't designed a DMZ and WAN connection before so any advice is appreciated.

Basically, its a 20Mbit internet connection with a /29 subnet. The firewalls are a Netscreen (internet) and a watchguard (VPN). The L2 switch is a Cisco 3500 and the core L3 is a 6509.

I think I should propose a 2621 between the two switches and let that do the routing instead of the 6500.

Any suggestions are appreciated. The file is in PDF format.

www.halfloaded.com/media/Gateway%20Firew...0DMS%20and%20VPN.pdf

Thanks!

Drew
More
18 years 6 months ago #14898 by d_jabsd
Replied by d_jabsd on topic Re: WAN Config Suggestions
Performance-wise, it would be better to carve out a vlan on the 3500 to replace internet hub. From a security perspective, you are safe as long as you are unable to access the switch from that external vlan.

I would not put a 2621 in front of the 6509 either. A 6509 with a route processor is a far better router than 2621...

do you really need both firewalls? Either should be able to firewall and run the VPN server at the same time without an issue, negating the need for the second device.

You could also sell both of those firewalls and replace them with a PIX FW module for the 6509. this would be the highest performing option without sacrificing security... as long as it was properly configured.

Physical layout doesn't really matter much as long as the configuration is secure.
More
18 years 6 months ago #14901 by drizzle
Replied by drizzle on topic Re: WAN Config Suggestions
Thanks for the advice!

The main purpose for the setup is for the separation of traffic and functions. The 6509 has about 40 L2 switches connected to it serving about 1200 users. Seeing as mis-configuration is almost always the cause of security breaches, I am trying to keep that from occuring by separating functions and using layers of defense instead of relying on once device.

I am not a CCIE so I don't feel comfortable configuring a 6509 that has a direct external connection as well as direct connections to servers and clients.

I am also dealing with other admins that feel there way is right so I am trying to get a solid design I can take to them so we can move forward.

I do like the idea of replacing the external hub with a switch. (I have extra switches).

Eventually, I plan on placing snort sensors on each side of the firewalls and using a diff to compare the traffic to help spot mis-configurations or security breaches. I don't know that the model you suggested would allow me to easily do that.
More
18 years 5 months ago #15702 by Fly4High
Replied by Fly4High on topic Re: WAN Config Suggestions
Link down guy! I can't get the file! Pls post file again!
Time to create page: 0.130 seconds