Application zoning/VLAN design

[Reggle]

Hi all,

I wonder: what is your preference when designing a (data center) network for multiple three-tier applications? Each application has a web server (interface towards end-users), a backend application server to which the webserver connects, and a database server to which the application server connects. A central firewall is the default gateway for everything.

1) One VLAN per tier, 3 VLANs total.
Web servers for different applications together in a VLAN. Same for application- and database servers.
+ Secure because all flows for an application traverse the firewall, preventing for example direct web-to-database connections
- Lots of firewall rule management
- Applications can interact with one another in unexpected ways
- Many flows and large database flows traverse the firewall, may require larger firewalls

2) One VLAN per application with all three tiers in it.
One application is one VLAN.
+ Complete application separation
+ Less firewall rule management
- Badly designed applications get away with it

3) Other solutions... Please explain.

Of course one VLAN per tier per application is an option but it needs to be scalable (VLAN numbers) for many applications and I'd like the firewall to be used for the important flows only, no use checking a database-to-database flow for example.

I'm not designing anything for real for the moment, just gathering ideas here.

[deanwebb]

If the app is exposed only to internal users, all three can sit behind the firewall in the same VLAN. Firewall permits traffic to the web server, IPS inline with the firewall scrubs the traffic.

If the app is exposed to the Internet or external users, web server goes into the DMZ. Other two servers can be in the same VLAN, for all I care. Firewall and IPS can each have segments dedicated for DMZ and DC traffic. That way, the firewall drops the packets that are on the wrong ports and the IPS drops the packets that are doing sketchy things.

Given that there will likely be other devices in the DMZ and the DC, the firewall and IPS will be doing more than just babysitting this app.

[wintermute000]

One vlan per Tier, but the firewall is only between web and app (as well as outside). I wouldn't bother with a FW between the app and DB, too much work.

UNLESS it was NSX or the like and you could have host based firewall that was portable with the VM and allowed abstract rule sets (i.e. not bound to IPs etc.)


You'd ideally want IPS or L7 NGFW capabilities between the internet and the web server, and again from the web server and the app server, and ideally different vendors too if you want to be paranoid. Of course then you can count on taking months for anything to get done, at least if its managed in a traditional enterprise IT manner

[Reggle]

Thanks for the input. So I'm not the only one not convinced that application to database really needs inspection.
I hadn't mentioned L7 inspection but of course that would be expected. Alright, seems I'm good to go. If anyone at anytime wants to add their ideas to this topic, feel free to do so. The more input, the better.

[icecream-guy]

segregate your services into separate VLAN's in the DMZ, that way if one server is pwnd, they rest of the servers are not.

3. keep your production away from test/development, never shall the two meet. never access production from development,
never access development from production,  bad things happen when the two mix.

[deanwebb]

I thought production *was* development?