Let's keep this simple with just two sites, connected via simple layer 3 point-to-point to the firewalls at each site.
- Site A is HQ and has Employee and Contractor zones
- Site B is the DC and has Internal and DMZ zones
What zone do you put the point-to-point connection in? A dedicated interconnect zone? Or does each firewall see the interconnect as the "HQ" or "Datacenter" zone respectively?
How do you handle firewall rules between different zones? If I only want to allow Employee zone in Site A to access Internal zone in Site B, how would the firewall policies look? On the Site A firewall, I would have to build a Employee->Interconnect policy, and on Site B a Interconnect->Internal policy. But the policy at Site B doesn't distinguish between the Employee and Contractor zone for traffic coming in.
Only alternative is using VRF's and spanning each "zone" across sites, but that seems messy.
Curious how everyone else is solving this.
No comments:
Post a Comment