Mailing List Archive

Campus Network - Deployment mode of Perimeter Firewalls
Hello Gentlemen,

We are redesigning the core network where we have
- Edge routers peering BGP with internet providers and partners
- Perimeter firewalls to secure north-south traffic
- High-end core switches where all distribution switches connect.

logical diagram: Internet providers/partners -> Edge routers -> Firewalls
-> Core switches -> Distribution/Access switches

We plan to use BGP(with bfd) from distribution all the way up to Edge
routers and core network has to be highly available.

I wanted to ask if there are the best practices when deploying the
perimeter firewalls?
Is Active/Active is better than Active/Standby HA model?
Is a pair of Firewalls in Routed mode performs better than in
Transparent/Layer2 mode?

My thoughts
On a pair of firewalls in Active/Active mode, 1) both uplinks/downlinks can
be utilized with ECMP but I don't understand why its consider an advantage
because regardless of having both links active, you can't oversubscribe
because you want to make sure there is no impact when one of the firewalls
goes down.
2) In fact, I could be wrong but i think A/A creates asymmetric flows that
are difficult to troubleshoot.
3) however with A/A, I think the convergence can be faster depending on the
underlying routing

Regarding Firewalls mode, I know you can't use some firewall features (such
as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
you can make certain pair of interfaces transparent to your upstream and
downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.

Any comments, please?
If you know of any good document on this very topic, please share it with
me.

Thanks
Yham
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
Yham wrote on 10/08/2020 19:53:
> Hello Gentlemen,
>
> We are redesigning the core network where we have
> - Edge routers peering BGP with internet providers and partners
> - Perimeter firewalls to secure north-south traffic

Unless there's a specific policy objective which overrides any technical
consideration, you may want to consider not putting firewalls inline
like this, as they often introduce serious failure modes which are
difficult to work around. Best case in a service provider environment,
they should service only the addresses which need to be firewalled and
should not be used as the default configuration for all traffic.

> I wanted to ask if there are the best practices when deploying the
> perimeter firewalls?

> Is Active/Active is better than Active/Standby HA model?

No, active/active is troublesome - you end up sharing state between
multiple systems, which introduces complexity and potential for failure.
Active/standby also keeps you honest by ensuring that you end up with
resiliency.

> Is a pair of Firewalls in Routed mode performs better than in
> Transparent/Layer2 mode?

you lose features in transparent mode, e.g. routing and a bunch of
others. There's no compelling reason to use it for most situations.

> Regarding Firewalls mode, I know you can't use some firewall features (such
> as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
> you can make certain pair of interfaces transparent to your upstream and
> downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.
>
> Any comments, please?

Keep as much traffic away from firewalls as possible. Keep your
configuration as simple as possible (this takes time and effort). If
you're using Juniper firewalls, keep each customer in an apply-group.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
Hello Nick,

Thanks for your comments. I kinda agree with you on avoid using transparent
mode however not clear why you wouldn't want your north-south traffic pass
through perimeter security devices (FWs). how would you protect your
network from outside if you don't have firewalls in the traffic path? I
have seen some enterprises use by-pass switches to go around the firewalls
in case of an unexpected failure from where firewalls can't recover.

Thanks

On Mon, Aug 10, 2020 at 3:41 PM Nick Hilliard <nick@foobar.org> wrote:

> Yham wrote on 10/08/2020 19:53:
> > Hello Gentlemen,
> >
> > We are redesigning the core network where we have
> > - Edge routers peering BGP with internet providers and partners
> > - Perimeter firewalls to secure north-south traffic
>
> Unless there's a specific policy objective which overrides any technical
> consideration, you may want to consider not putting firewalls inline
> like this, as they often introduce serious failure modes which are
> difficult to work around. Best case in a service provider environment,
> they should service only the addresses which need to be firewalled and
> should not be used as the default configuration for all traffic.
>
> > I wanted to ask if there are the best practices when deploying the
> > perimeter firewalls?
>
> > Is Active/Active is better than Active/Standby HA model?
>
> No, active/active is troublesome - you end up sharing state between
> multiple systems, which introduces complexity and potential for failure.
> Active/standby also keeps you honest by ensuring that you end up with
> resiliency.
>
> > Is a pair of Firewalls in Routed mode performs better than in
> > Transparent/Layer2 mode?
>
> you lose features in transparent mode, e.g. routing and a bunch of
> others. There's no compelling reason to use it for most situations.
>
> > Regarding Firewalls mode, I know you can't use some firewall features
> (such
> > as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
> > you can make certain pair of interfaces transparent to your upstream and
> > downstream and another pair of interfaces in layer3 mode for VPN, NAT
> etc.
> >
> > Any comments, please?
>
> Keep as much traffic away from firewalls as possible. Keep your
> configuration as simple as possible (this takes time and effort). If
> you're using Juniper firewalls, keep each customer in an apply-group.
>
> Nick
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
Hi,

On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote:
> Thanks for your comments. I kinda agree with you on avoid using transparent
> mode however not clear why you wouldn't want your north-south traffic pass
> through perimeter security devices (FWs). how would you protect your
> network from outside if you don't have firewalls in the traffic path? I
> have seen some enterprises use by-pass switches to go around the firewalls
> in case of an unexpected failure from where firewalls can't recover.

What is the point of a firewall in front of a web server?

The web server should not have any services running besides "web", and
these have to be available from the outside.

Adding a firewall means "you put a device in front of it that can handle
less load and costs more" - but where's the security gain?

gert

--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
Yham wrote on 11/08/2020 04:33:
> Thanks for your comments. I kinda agree with you on avoid using
> transparent mode however not clear why you wouldn't want your
> north-south traffic pass through perimeter security devices (FWs). how
> would you protect your network from outside if you don't have firewalls
> in the traffic path? I have seen some enterprises use by-pass switches
> to go around the firewalls in case of an unexpected failure from where
> firewalls can't recover.

I missed that this was a campus network, and assumed it was a service
provider.

Yeah, politically credible reasons for wanting some or all parts of a
campus behind firewalls of whatever form. It's a completely terrible
idea if you're a service provider though.

Nick

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
Not to mention the obvious observation that a firewall designed to "fail
open" must not have anything of any importance behind it, so it (the
firewall) merely exists for "checkbox compliance" with the checklists of
incompetent arseholes and clueless retards, and not because it serves
(or is intended to serve) any useful purpose.

--
Be decisive. Make a decision, right or wrong. The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Gert
>Doering
>Sent: Tuesday, 11 August, 2020 01:18
>To: Yham <yhameed81@gmail.com>
>Cc: cisco-nsp@puck.nether.net NSP <cisco-nsp@puck.nether.net>
>Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter
>Firewalls
>
>Hi,
>
>On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote:
>> Thanks for your comments. I kinda agree with you on avoid using
>transparent
>> mode however not clear why you wouldn't want your north-south traffic
>pass
>> through perimeter security devices (FWs). how would you protect your
>> network from outside if you don't have firewalls in the traffic path?
I
>> have seen some enterprises use by-pass switches to go around the
>firewalls
>> in case of an unexpected failure from where firewalls can't recover.
>
>What is the point of a firewall in front of a web server?
>
>The web server should not have any services running besides "web", and
>these have to be available from the outside.
>
>Adding a firewall means "you put a device in front of it that can
handle
>less load and costs more" - but where's the security gain?
>
>gert
>
>--
>"If was one thing all people took for granted, was conviction that if
you
> feed honest figures into a computer, honest figures come out. Never
>doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
>Mistress
>
>Gert Doering - Munich, Germany
>gert@greenie.muc.de



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Campus Network - Deployment mode of Perimeter Firewalls [ In reply to ]
What is the difference? Does not the "campus network" provide a
service?

--
Be decisive. Make a decision, right or wrong. The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Nick
>Hilliard
>Sent: Tuesday, 11 August, 2020 03:34
>To: Yham <yhameed81@gmail.com>
>Cc: cisco-nsp@puck.nether.net NSP <cisco-nsp@puck.nether.net>
>Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter
>Firewalls
>
>Yham wrote on 11/08/2020 04:33:
>> Thanks for your comments. I kinda agree with you on avoid using
>> transparent mode however not clear why you wouldn't want your
>> north-south traffic pass through perimeter security devices (FWs).
how
>> would you protect your network from outside if you don't have
firewalls
>> in the traffic path? I have seen some enterprises use by-pass
switches
>> to go around the firewalls in case of an unexpected failure from
where
>> firewalls can't recover.
>
>I missed that this was a campus network, and assumed it was a service
>provider.
>
>Yeah, politically credible reasons for wanting some or all parts of a
>campus behind firewalls of whatever form. It's a completely terrible
>idea if you're a service provider though.
>
>Nick
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/