Shared DMZ

Started by laitounejjar, February 21, 2021, 06:37:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

laitounejjar

February 21, 2021, 06:37:44 AM
Hello everyone and sorry my english.
We have bought a hardware FW and we have a second WAN connection. So we decide to review our network architecture.
My idea is shown on attached image (for details : (i) this way i can redirect some client to ISP2 directly. (2) My domain is publicly declared as a.b.c.d).

What do you think about the idea ?
What about the public servers in dmz (they have initially one gateway 192.168.0.1) ?
have you a better idea ?

Thanks.

icecream-guy

#1
February 21, 2021, 06:51:03 AM
what is R-Cisco?

I would suggest to move the ISP-2 connection over to the hardware firewall, so there is only one entry/exit to your network, no backdoor.
:professorcat:

My Moral Fibers have been cut.

laitounejjar

#2
February 21, 2021, 10:42:09 AM
Thanks for your reply.
Yes its a possible idea. R-cisco = Router cisco.
What about icoming connection from a.b.c.d (ips2) to servers in dmz who is shared between isp1 and isp2 (with a fail over)?

config t

#3
February 21, 2021, 01:05:25 PM
Quote from: laitounejjar on February 21, 2021, 10:42:09 AM

What about icoming connection from a.b.c.d (ips2) to servers in dmz who is shared between isp1 and isp2 (with a fail over)?

i'm not sure i am understanding this correctly. are you saying you want to move the isp2 connection to the dmz? that would make it no longer a dmz.

Agreed with ristau.. only one entry/exit. otherwise you don't have an effective boundary.
:matrix:

Please don't mistake my experience for intelligence.

Dieselboy

#4
February 21, 2021, 10:28:11 PM
1. When traffic arrive at R-Cisco for a DMZ server, it may not go via the firewall.

It will go: Internet -> R-Cisco -> DMZ server.

2. When the DMZ server reply to the internet, it will use the default gateway (firewall):

DMZ Server -> Firewall -> R-Cisco -> internet

Note A) Depending on the firewall, the security on your firewall may break this traffic by default because the reply from the DMZ server is not a TCP SYN packet


The diagram is too complex for the simple network. My suggestion is to have: Internet > R-Cisco > firewall > DMZ.

R-Cisco role = route between internet <-> firewall

Firewall role = Route between internet <-> DMZ

Note B) Failover for DMZ server may not work with your current design.

My final suggestion to you:

I suggest that you test all of the components of your design like auto-failover and see if you have any problems (or not) and work through those.

deanwebb

#5
February 22, 2021, 01:13:55 PM
Hello, I am the attacker. I like the R-Cisco thing. When can I set up an appointment to compromise your network? I have some availability next Thursday morning.

Also, having asymmetric paths can often break applications.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#6
February 22, 2021, 07:01:32 PM
Why not just run both WAN links off the FW and use the FW to do the appropriate load balancing, whether via routing or PBR or other $VENDOR features.
Print
Go Up Pages1
User actions