Replacing the Central Firewall
ACME Inc. has a data center hosting several large-scale web applications. Their existing data center design uses traditional enterprise approach:
- Data center is segmented into several security zones (web servers, application servers, database servers, supporting infrastructure);
- Servers belonging to different applications reside within the same security zone, increasing the risk of lateral movements in case of web- or application server breach;
- Large layer-2 segments are connecting all servers in the same security zone, further increasing the risk of cross-protocol attack;
- All inter-zone traffic is controlled by a pair of central firewalls, which are becoming exceedingly impossible to manage;
- The central firewalls are also becoming a chokepoint, severely limiting the growth of ACME’s application infrastructure.
The networking engineers designing next-generation data center for ACME would like to replace the central firewalls with iptables deployed on application servers, but are reluctant to do so due to potential security implications.
The document describes a summary of design challenges sent by readers of ipSpace.net blog and discussed in numerous ExpertExpress engagements. It’s based on real-life queries and network designs but does not represent an actual customer network. Complete document is available as downloadable PDF to ipSpace.net subscribers. You can also buy a digital book with all ExpertExpress case studies
From Packet Filters to Stateful Firewalls
The ACME engineers have to find the optimal mix of traffic filtering solutions that will:
- Satisfy the business-level security requirements of ACME Inc., including potential legal, regulatory and compliance requirements;
- Be easy to scale as the application traffic continues to grow;
- Not require large-scale upgrades when the application traffic reaches a certain limit (which is the case with existing firewalls).
Effectively, they’re looking for a scale-out solution, which will ensure approximately linear growth, with minimum amount of state to reduce the complexity and processing requirements.
While designing the overall application security architecture, they could use the following tools:
- Packet filters;
- Packet filters with automatic reverse rules;
- Reflexive access lists;
- Transport layer session inspection
- Application level gateways
- Web application firewalls.
The case study describes the roles of these tools in a scale-out network security architecture, and lists various design options, from WAN edge packet filters with VM NIC firewalls to layered stateful defense.
- Compromised security zone = Game Over
Get the complete document
Complete case study, including design and deployment guidelines and sample configuration snippets is available to ipSpace.net subscribers. Select the Case studies tab after logging into the webinar management system.
Products and Services
- Yearly subscription
- ExpertExpress and Consulting
- Live events and on-site workshops
- Webinars and recordings
- Customized webinars
About Ivan Pepelnjak
- BGP Convergence Optimization
- BGP Routing in DMVPN Access Network
- Combine Physical and Virtual Appliances in a Private Cloud
- Designing a Private Cloud Network Infrastructure
- External Routing with Layer-2 Data Center Interconnect (DCI)
- Integrating Internet VPN with MPLS VPN WAN
- Redundant Data Center Internet Connectivity
- Redundant Server-to-Network Connectivity
- Scale-Out Private Cloud Infrastructure
- Building Next-Generation Data Center (Online course)
30 March 2017
- Sizing the Network
3 May 2017
- Open Networking for Large-Scale Networks
9 May 2017
- Network Visibility with Flow Data
7 June 2017
- Building Network Automation Solutions (Online course)
15 September 2017
Recent blog posts