Saturday, September 26, 2020

Helpdesk guy needing opinions from more experienced people than me on Network Architecture

Hello r/networking!!

Question:

What are your thoughts on a virtualized pfsense deployed on a production Server cluster for inter-VLAN/edge routing?

TLDR:

Discussions are taking place to remove a large part of our network infrastructure and move routing away from CoreSwitches/Edge Router to virtualized router on our production cluster. I think I need to be against this decision, and am looking for opinions as to whether I am right or wrong in my stance.

Context:

We are a 4 person IT team spread across 2 sites (1 helpdesk/1 Sysadmin at each site). I am the junior person at my site and overheard a conversation between the Sysadmins on replacing our firewalls and edge router and VPN concentrator that will be EOL next year.

I am a helpdesk technician with a BAS in Cybersecurity holding CCNA/Security+ certifications; while my role is helpdesk, but I do assist a lot with higher level work at the network/server/security level so I believe my input does have some influence.

The current school of thought is to implement a PFSense cluster(if this is possible?) to handle the edge routing/VPN. While the thought of placing our production cluster on the Edge of our network is unappealing, I do understand this idea as it would mitigate capital costs of purchasing hardware.

However, I am not so onboard with migrating our InterVLAN routing from Cisco 3850's to the same PFSense routers. The justification for this is that it will "segment our VLANs properly". we are a manufacturing facility with the critical infrastructure consisting of: HMI/PLCs that are offline, IBM I instance used to support the manufacturing processes(used extensively by most departments), and file servers; so, I believe that there is no need for any network segmentation beyond what the 3850 can offer us.

Performance concerns:

Moving from ASIC routing for LAN traffic to OS routing is a bad move for us IMO; we have dual 10G fiber (not implemented as port channels as far as I know) running from each of our 2 ESXi hosts to the core 3850s which handle everything from iSCSI to backups, so I believe that adding not only every LAN packet, but all external/internal traffic would not be so good for throughput purposes.

Router on a stick would be a downgrade IMO from our current design.

Additionally, since we use iSCSI to the NAS, the loss of our (single) production NAS would be detrimental to our production network as we would have to rebuild the whole infrastructure from backups.

Security concerns:

While I have not found good knowledge about the risks of a virtualized edge router, I think that there is increased potential for compromise since the same hosts that will be running our Edge routers, will also be running our production environment/ VEEAM backup servers (pointed towards a different NAS). Also, there is the risk of human error if we accidentally put a VM on the Edge Vswitch/VLAN.

Additionally, Internet traffic will now be traveling across our Core switches which goes against my instincts. Unless we utilize our external switches and implement new NIC's in the servers (this has not been discussed)

Wrap it up already!!!

Am I wrong to have these concerns?

Should I just leave it to the System Administrators and keep my head down?

Long post I know, thank you if you read all of it; your input is greatly appreciated.



No comments:

Post a Comment