Search this Blog

Tuesday, June 29, 2010

How to implement a Server Farm Firewalling? ASA 5510

We have just finished first phase of implementing Server Farm in our Data Center i.e. all servers in a different VLAN and all users in a separate VLAN. (Actually we have 6 different VLANs for users based on what floor they reside on but lets just call it a single User VLAN). We like to put a firewall in between the Server VLAN and the User VLAN. We have around 80 servers running different applications. We think putting a firewall in between the two VLANs will have a performance hit since the throughput required between the two VLANs is way too much for a normal firewall to support. What will the best approach to implement the server farm firewalling? Place a separate hardware firewall like ASA 5510 or use FWSM in Cisco 6500 what will be the best thing to do?

Tips :

  1. ASA is typically an edge device (due to capability to do VPN), but it's not that uncommon to see a multicontext ASA 5580 in DC (lately).
  2. FWSM is what you would typically see in ditribution layer.
Some best practice to follow.
  • KISS principle - if you're adding more then 10th vlan on FWSM or ASA you're probably doing something wrong. If your routing table has just blown up, you're not summarizing enough (screwed up while allocating address spaces).
  • Inter-server or inter-user communication (replication or apps like memcached, DNS traffic) try to design it not to pass through firewall, consider using private vlans instead.
  • If separate rule sets required for different vlan - use multiple context firewalls instead (consider using transparent mode if no NAT or routing needed)
  • You would typically put a firewall to separate users from internet and servers. Try to keep it in mind and police traffic between users (/servers) when needed.
  • Bottom line - traffic that needs to be fast - switch it, don't route it.
  • If you want some servers to communicate on one vlan and some other not - use private vlans.
  • Traffic that needs to be check against policy (access-lists etc.) route it to firewall (or use transparent firewall on that vlan).

Below are some of the books that have related topics

CCDA self study guide

CCDP - ARCH book.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */