Thursday, February 21, 2019

SMB Firewall and VLANS

Hi!

I’m hoping for some advice on a network plan.

A little background:

I’m working for a smaller business where we have about 20 employee computers, 15 IP phones, a couple networked printers, and about 20 servers (mostly testing servers, a couple production servers), all of which run on a flat network.

We’ve determined we need a new firewall to support VPN connectivity and we’d like to take the opportunity to spec the new firewall such that we can segment the flat network that exists today.

We’re thinking the following VLAN setup should meet our needs:

  • Public Server DMZ
  • Remote Access
  • Guest Internet

  • Employee Computers/Printers

  • Servers

  • Voice

Today we have a simple firewall at the Internet edge and a Dell PowerConnect N3048 L3 switch which just functions as an access switch.

A majority of the traffic today already either goes out to the Internet or to a site-to-site VPN that terminates at the firewall. Additionally, we have an AWS environment that we would want to eventually hook into with an always-on VPN, using this firewall.

Option 1:

I believe the simplest option is to use the firewall as the core to do all the routing with a trunk from the firewall to the switch. This is nice because of the central management aspect, ability to have all VLAN traffic controlled, and the existing switch supports trunking, but from research, the firewall could become bottlenecked if also having to route and inspect the internal VLAN traffic.

However I don’t know if this is even really a concern at our scale if the firewall is spec’d large enough?

We are looking at Fortigate firewalls. Which metric(s) of a new firewall should we be looking at when trying to evaluate if this will be an issue?

Any suggestions on Fortigate firewall models based on my info?

Option 2:

Since we already own an L3 switch, I also considered routing between the Employee, Server and Voice VLAN’s using that switch and having the other VLAN’s off the firewall. I would potentially use ACL’s to control inter VLAN access on the switch.

Do ACL’s allow the granularity where we could have all employee IP’s able to connect to servers over HTTPS and only limited IP’s (IT Staff) able to connect to servers over RDP/SSH?

I was also hoping to use the firewall’s MAC filtering to prevent clients from changing their IP’s and I believe we will lose this ability using the switch to route? If so, any way to replicate this behavior at the switch without going with an all out NAC solution?

Still learning, so always open to any other/better designs or suggestions!

Thanks for the help!



No comments:

Post a Comment