Scenario: You have a flat layer 2 network with SVI's that don't block east/west traffic between any vlan. You have an upstream firewall that carries your north/south traffic to the internet. Your dev/test/build and corporate networks are inter-mingled. InfoSec says this is bad news, and you need to segment off parts of the network based on business use case. The only catch is you can't use any specific vendor technology or product that would cause a lock in. The ultimate goal is zero trust, where we define policy for every traffic flow and nothing is implicitly trusted.
Given the above scenario, I'm inclined to move the firewall down in the topology to be where the L3 gateways sit. Of course this means scoping massive firewalls based on current bandwidth use and anticipated growth (+/- some buffer in case someone says we need something like SSL decryption). My thought with this is that it doesn't necessarily mean a vendor lock in, because we could rip and replace any firewall vendor and replace it with a different one if we decide we don't like our current one. It solves the immediate business requirements and increases security, telemetry, etc.
Another solution could be to keep the SVI's at the switched level and simply add in access-lists based on Netflow data, but maintaining those may become a headache.
Is there a better way to accomplish this that I'm not thinking of?
No comments:
Post a Comment