I think we're all familiar with the traditional Cisco-approved DMZ design. You have a pair of DMZ L2 switches that trunk multiple VLANs up to an HA pair of edge firewalls. The edge firewalls provide inter-VLAN routing and connect the DMZ VLANs into the main data center fabric. To me, this seems a bit antiquated.
In a modern DC, why not go with a design that looks more like this:
- Firewalls connect to the DC core using Layer 3 interfaces, relying on either static routing or an IGP such as OSPF.
- Instead of trunking up VLANs to the Firewall, put them into VRFs and align them to an FW zone; perhaps separate ones for External Internet, Internal LAN, Public Web, Private Web, App/Backend, and Infrastructure (non-user facing).
- All intra-VRF traffic goes through a firewall, whether that be external user to web, internal user to web, web to app, App to DB, etc. Traffic within a given VRF could be segmented with ACLs in the DC fabric if needed.
This way you're securing more than just the private as well as public resources, as well as front-end to back-end traffic. You can provision public resources anywhere you want in the DMZ; you can make use of L3 routing protocols; and if you need physical isolation you could still dedicate certain racks and/or physical servers to be restricted to a certain VRF.
What do you think? Obviously, if you need microsegment and secure a lot of east-west traffic something like ACI or NSX would be a better way to secure your environment, but this seems like it could be a perfectly acceptable design in a more traditional deployment.
No comments:
Post a Comment