Multiple DMZs for external connections?

Discussion in 'Cisco' started by kojjy, Oct 5, 2004.

  1. kojjy

    kojjy Guest

    My company has multiple leased lines to external partners. Each one
    terminates on a DMZ formed by a VLAN on a switch, and all traffic
    must pass through a PIX before getting to the company network. There
    are no servers on this DMZ. A new partner is coming onboard soon and
    will have their own leased line and router, but they'll need a file
    server to use to pass files between our systems and theirs.

    The network guys in my company want to put both the new router and
    file server on the existing DMZ. I'm not happy with this as the new
    service is critical and passes sensitive information, and if put on
    the current DMZ I can see a risk of the service being vulnerable to
    attack or snooping from our other partners. We don't control the ACLs
    on all of the other routers, and some are managed by service providers
    who charge for every router config report or change. My preference
    would be a new DMZ for just this new service, or at least
    reconfiguring the current DMZ as a private VLAN and restricting which
    ports can talk to which other ports on the switch so that none of the
    other routers can communicate with the new router or server. The
    network team tell me the PIX has no more interfaces for a new DMZ so
    perhaps the private VLAN is the only way to go.

    Can anyone advise me on how other companies do this, and if my ideas
    are workable or overkill?

    Thanks

    Kojjy
    kojjy, Oct 5, 2004
    #1
    1. Advertising

  2. In article <>,
    kojjy <> wrote:
    :My company has multiple leased lines to external partners. Each one
    :terminates on a DMZ formed by a VLAN on a switch, and all traffic
    :must pass through a PIX before getting to the company network.

    :The network guys in my company want to put both the new router and
    :file server on the existing DMZ. I'm not happy with this as the new
    :service is critical and passes sensitive information, and if put on
    :the current DMZ I can see a risk of the service being vulnerable to
    :attack or snooping from our other partners.

    That is a very valid concern. Your other partners might all be
    trustable, but you can't trust that none of their systems will -ever-
    get trojan'd and used to look at the new service. Not unless the
    partners all operate unusually secure networks.

    :The
    :network team tell me the PIX has no more interfaces for a new DMZ so
    :perhaps the private VLAN is the only way to go.

    As you already have a DMZ, and have likely had it for some time, you
    almost certainly have a PIX 515 or higher. The PIX 515 and higher
    all support adding additional -logical- interfaces, where a logical
    interface is a tagged VLAN on a physical port. You may have run out
    of physical interfaces, but you probably haven't run out of logical
    interfaces yet.

    If I am correct, then set the switch port the PIX is connected to to be
    an 'trunk' port rather than an 'access' port, and set the "native" VLAN
    for that port to be the VLAN number of the existing DMZ traffic [this
    will cause that existing traffic to be sent untagged to the PIX
    physical port, where it will be picked up and processed just the way it
    was before, with no configuration change on the PIX.] Then set the new
    leased line to a different VLAN, and set the PIX physical port on the
    switch to allow the VLAN to pass as well. The packets from the new
    leased line will then arrive at the PIX physical interface tagged with
    the VLAN number you assigned. The next step would be to add a new
    'interface' command that indicated that PIX physical interface,
    and indicated the vlan number, and used the appropriate keyword
    to create a logical interface. This will create a pseudo-physical
    interface named 'vlan' followed by the vlan number. You can then
    nameif that pseudo-physical interface to a more meaningful name
    if you desire. You can create an access-list and access-group it
    against that name you assign. The packets that match the given
    VLAN number will be processed through that access-list and will -not-
    be processed through the access-list you associated with the physical
    interface; and vice versas, the untagged packets will not be processed
    through any access-list associated with any vlan interface. You can
    'route' and 'static' and so on against the logical interface... pretty
    much everything -except- trying to set the interface speed.

    If your PIX model and software combination support logical interfaces
    at all, and you have not previously configured any logical interfaces,
    then you will have at least 1 available logical interface
    [in the case of the PIX 506/506E running 6.3(4)]; other models support
    more interfaces, with the exact number supported depending upon the
    model and upon whether you have a Restricted or Unrestricted license.

    --
    vi -- think of it as practice for the ROGUE Olympics!
    Walter Roberson, Oct 5, 2004
    #2
    1. Advertising

  3. kojjy

    MC Guest

    We have a similar setup with partner networks, but also different but the
    end result is the same, protection of services.

    We use Checkpoint firewalls but cisco routers but the method is the same.

    What we have is two tier firewalls but can be done with one.

    We have one firewall cluster that has the Internet on one side and a DMZ
    network on the other. This DMZ actuall consists of layer 3 switching with
    multple server networks and SSL/load balancing hardware.

    We have a second tier firewall cluster with the DMZ on one leg, Company
    managed end-to-end Extranet, Another extranet for customer provided
    connectivity.

    We have all our services that are externally facing in the DMZ networks,
    either accessed via Internet or via one of the Extra Networks.

    We also VLAN tag traffic on the customer facing leg that goes to a layer 2
    switch stack where each customer is on a seperate VLAN subnet.

    The main idea is that all services are on a protected DMZ, Weather accessed
    from the Internet or from one of the ExtraNets. Access is controlled via
    fireall policies. Also we have routing setup whereas any customer can not
    access another customer subnet just in case the policy accidentaly would
    allow for some reason.


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cjv1dt$1dh$...
    > In article <>,
    > kojjy <> wrote:
    > :My company has multiple leased lines to external partners. Each one
    > :terminates on a DMZ formed by a VLAN on a switch, and all traffic
    > :must pass through a PIX before getting to the company network.
    >
    > :The network guys in my company want to put both the new router and
    > :file server on the existing DMZ. I'm not happy with this as the new
    > :service is critical and passes sensitive information, and if put on
    > :the current DMZ I can see a risk of the service being vulnerable to
    > :attack or snooping from our other partners.
    >
    > That is a very valid concern. Your other partners might all be
    > trustable, but you can't trust that none of their systems will -ever-
    > get trojan'd and used to look at the new service. Not unless the
    > partners all operate unusually secure networks.
    >
    > :The
    > :network team tell me the PIX has no more interfaces for a new DMZ so
    > :perhaps the private VLAN is the only way to go.
    >
    > As you already have a DMZ, and have likely had it for some time, you
    > almost certainly have a PIX 515 or higher. The PIX 515 and higher
    > all support adding additional -logical- interfaces, where a logical
    > interface is a tagged VLAN on a physical port. You may have run out
    > of physical interfaces, but you probably haven't run out of logical
    > interfaces yet.
    >
    > If I am correct, then set the switch port the PIX is connected to to be
    > an 'trunk' port rather than an 'access' port, and set the "native" VLAN
    > for that port to be the VLAN number of the existing DMZ traffic [this
    > will cause that existing traffic to be sent untagged to the PIX
    > physical port, where it will be picked up and processed just the way it
    > was before, with no configuration change on the PIX.] Then set the new
    > leased line to a different VLAN, and set the PIX physical port on the
    > switch to allow the VLAN to pass as well. The packets from the new
    > leased line will then arrive at the PIX physical interface tagged with
    > the VLAN number you assigned. The next step would be to add a new
    > 'interface' command that indicated that PIX physical interface,
    > and indicated the vlan number, and used the appropriate keyword
    > to create a logical interface. This will create a pseudo-physical
    > interface named 'vlan' followed by the vlan number. You can then
    > nameif that pseudo-physical interface to a more meaningful name
    > if you desire. You can create an access-list and access-group it
    > against that name you assign. The packets that match the given
    > VLAN number will be processed through that access-list and will -not-
    > be processed through the access-list you associated with the physical
    > interface; and vice versas, the untagged packets will not be processed
    > through any access-list associated with any vlan interface. You can
    > 'route' and 'static' and so on against the logical interface... pretty
    > much everything -except- trying to set the interface speed.
    >
    > If your PIX model and software combination support logical interfaces
    > at all, and you have not previously configured any logical interfaces,
    > then you will have at least 1 available logical interface
    > [in the case of the PIX 506/506E running 6.3(4)]; other models support
    > more interfaces, with the exact number supported depending upon the
    > model and upon whether you have a Restricted or Unrestricted license.
    >
    > --
    > vi -- think of it as practice for the ROGUE Olympics!
    MC, Oct 6, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SkdlcmVuZHQ=?=

    Routing through multiple wireless Internet Connections

    =?Utf-8?B?SkdlcmVuZHQ=?=, Oct 19, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    479
    =?Utf-8?B?SkdlcmVuZHQ=?=
    Oct 19, 2005
  2. Scotchy
    Replies:
    2
    Views:
    518
    Scotchy
    Oct 7, 2004
  3. Replies:
    5
    Views:
    663
  4. joe cremona

    ISPs external connections to mailserver

    joe cremona, Apr 25, 2004, in forum: NZ Computing
    Replies:
    45
    Views:
    894
    Enkidu
    Apr 29, 2004
  5. Giuen
    Replies:
    0
    Views:
    865
    Giuen
    Sep 12, 2008
Loading...

Share This Page