Our Sysadmins are rolling out a server that requires an interface with a publicly routable address on it, accessible from the outside. We've got a /29 from our ISP so I've got the addresses to spare, but I've never designed a DMZ before and I'm interested in people's Best Practices for this kind of thing. I'm told by our sysadmins that they've heard a lot of anecdotal reports that even 1:1 NAT causes a lot of problems with this specific service and they need to be able to put the actual public address on the physical interface of the server.
After bouncing ideas around inside our department, my thought is to take an interface from our ISP distro VLAN on on external switch, and run it through a Virtual Wire on our Palo Alto 3020 firewalls to a null-routed VLAN on our server switch. As diagrammed here.
To my mind, this would give us full visibility into the traffic and ability to block based on all the factors, while still being totally transparent to the service and allowing a public address on the server's physical interface.
Am I crazy here? Is this a terrible idea, will I ruin the internet and accidentally kill kittens with it?
No comments:
Post a Comment