I'm working on a solution as a vendor over deployment model for NGFW with following interest:-
-
1) east-west traffic inside server farm for stopping malware lateral movement
-
2) user (access layer) to server farm for policy control e.g AV, IPS etc
Constraints / Concerns:-
-
1) Currently there is no l4 policy control or firewall in place , network topology is flat.
-
2) don't want to buy layer 3 switch for inter-vlan routing
-
3) internet traffic is managed by another segement not to be passed through proposed ngfw.
Concerns from vendor integerator prespective
- 1) between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and efffecting throughput as well
- 2) terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)
I'm looking if there exists an validated design either for or against the above solution. Thanks.
No comments:
Post a Comment