Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: WAN Config Suggestions

WAN Config Suggestions 10 years 6 months ago #14896

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
I have set up a Visio doc of a proposed WAN configuration. I was wondering if some of you security/network guru's could take a look at it and give me any suggestions. I haven't designed a DMZ and WAN connection before so any advice is appreciated.

Basically, its a 20Mbit internet connection with a /29 subnet. The firewalls are a Netscreen (internet) and a watchguard (VPN). The L2 switch is a Cisco 3500 and the core L3 is a 6509.

I think I should propose a 2621 between the two switches and let that do the routing instead of the 6500.

Any suggestions are appreciated. The file is in PDF format.

http://www.halfloaded.com/media/Gateway%20Firewall%20DMS%20and%20VPN.pdf

Thanks!

Drew
The administrator has disabled public write access.

Re: WAN Config Suggestions 10 years 6 months ago #14898

  • d_jabsd
  • d_jabsd's Avatar
  • Offline
  • Distinguished Member
  • Posts: 153
  • Karma: 0
Performance-wise, it would be better to carve out a vlan on the 3500 to replace internet hub. From a security perspective, you are safe as long as you are unable to access the switch from that external vlan.

I would not put a 2621 in front of the 6509 either. A 6509 with a route processor is a far better router than 2621...

do you really need both firewalls? Either should be able to firewall and run the VPN server at the same time without an issue, negating the need for the second device.

You could also sell both of those firewalls and replace them with a PIX FW module for the 6509. this would be the highest performing option without sacrificing security... as long as it was properly configured.

Physical layout doesn't really matter much as long as the configuration is secure.
The administrator has disabled public write access.

Re: WAN Config Suggestions 10 years 6 months ago #14901

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
Thanks for the advice!

The main purpose for the setup is for the separation of traffic and functions. The 6509 has about 40 L2 switches connected to it serving about 1200 users. Seeing as mis-configuration is almost always the cause of security breaches, I am trying to keep that from occuring by separating functions and using layers of defense instead of relying on once device.

I am not a CCIE so I don't feel comfortable configuring a 6509 that has a direct external connection as well as direct connections to servers and clients.

I am also dealing with other admins that feel there way is right so I am trying to get a solid design I can take to them so we can move forward.

I do like the idea of replacing the external hub with a switch. (I have extra switches).

Eventually, I plan on placing snort sensors on each side of the firewalls and using a diff to compare the traffic to help spot mis-configurations or security breaches. I don't know that the model you suggested would allow me to easily do that.
The administrator has disabled public write access.

Re: WAN Config Suggestions 10 years 4 months ago #15702

  • Fly4High
  • Fly4High's Avatar
  • Offline
  • New Member
  • Posts: 6
  • Karma: 0
Link down guy! I can't get the file! Pls post file again!
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup