Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
What is the difference? Does not the "campus network" provide a service? -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-Original Message- >From: cisco-nsp On Behalf Of Nick >Hilliard >Sent: Tuesday, 11 August, 2020 03:34 >To: Yham >Cc: cisco-nsp@puck.nether.net NSP >Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter >Firewalls > >Yham wrote on 11/08/2020 04:33: >> Thanks for your comments. I kinda agree with you on avoid using >> transparent mode however not clear why you wouldn't want your >> north-south traffic pass through perimeter security devices (FWs). how >> would you protect your network from outside if you don't have firewalls >> in the traffic path? I have seen some enterprises use by-pass switches >> to go around the firewalls in case of an unexpected failure from where >> firewalls can't recover. > >I missed that this was a campus network, and assumed it was a service >provider. > >Yeah, politically credible reasons for wanting some or all parts of a >campus behind firewalls of whatever form. It's a completely terrible >idea if you're a service provider though. > >Nick > >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Not to mention the obvious observation that a firewall designed to "fail open" must not have anything of any importance behind it, so it (the firewall) merely exists for "checkbox compliance" with the checklists of incompetent arseholes and clueless retards, and not because it serves (or is intended to serve) any useful purpose. -- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-Original Message- >From: cisco-nsp On Behalf Of Gert >Doering >Sent: Tuesday, 11 August, 2020 01:18 >To: Yham >Cc: cisco-nsp@puck.nether.net NSP >Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter >Firewalls > >Hi, > >On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote: >> Thanks for your comments. I kinda agree with you on avoid using >transparent >> mode however not clear why you wouldn't want your north-south traffic >pass >> through perimeter security devices (FWs). how would you protect your >> network from outside if you don't have firewalls in the traffic path? I >> have seen some enterprises use by-pass switches to go around the >firewalls >> in case of an unexpected failure from where firewalls can't recover. > >What is the point of a firewall in front of a web server? > >The web server should not have any services running besides "web", and >these have to be available from the outside. > >Adding a firewall means "you put a device in front of it that can handle >less load and costs more" - but where's the security gain? > >gert > >-- >"If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never >doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh >Mistress > >Gert Doering - Munich, Germany >g...@greenie.muc.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Yham wrote on 11/08/2020 04:33: Thanks for your comments. I kinda agree with you on avoid using transparent mode however not clear why you wouldn't want your north-south traffic pass through perimeter security devices (FWs). how would you protect your network from outside if you don't have firewalls in the traffic path? I have seen some enterprises use by-pass switches to go around the firewalls in case of an unexpected failure from where firewalls can't recover. I missed that this was a campus network, and assumed it was a service provider. Yeah, politically credible reasons for wanting some or all parts of a campus behind firewalls of whatever form. It's a completely terrible idea if you're a service provider though. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hi, On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote: > Thanks for your comments. I kinda agree with you on avoid using transparent > mode however not clear why you wouldn't want your north-south traffic pass > through perimeter security devices (FWs). how would you protect your > network from outside if you don't have firewalls in the traffic path? I > have seen some enterprises use by-pass switches to go around the firewalls > in case of an unexpected failure from where firewalls can't recover. What is the point of a firewall in front of a web server? The web server should not have any services running besides "web", and these have to be available from the outside. Adding a firewall means "you put a device in front of it that can handle less load and costs more" - but where's the security gain? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hello Nick, Thanks for your comments. I kinda agree with you on avoid using transparent mode however not clear why you wouldn't want your north-south traffic pass through perimeter security devices (FWs). how would you protect your network from outside if you don't have firewalls in the traffic path? I have seen some enterprises use by-pass switches to go around the firewalls in case of an unexpected failure from where firewalls can't recover. Thanks On Mon, Aug 10, 2020 at 3:41 PM Nick Hilliard wrote: > Yham wrote on 10/08/2020 19:53: > > Hello Gentlemen, > > > > We are redesigning the core network where we have > > - Edge routers peering BGP with internet providers and partners > > - Perimeter firewalls to secure north-south traffic > > Unless there's a specific policy objective which overrides any technical > consideration, you may want to consider not putting firewalls inline > like this, as they often introduce serious failure modes which are > difficult to work around. Best case in a service provider environment, > they should service only the addresses which need to be firewalled and > should not be used as the default configuration for all traffic. > > > I wanted to ask if there are the best practices when deploying the > > perimeter firewalls? > > > Is Active/Active is better than Active/Standby HA model? > > No, active/active is troublesome - you end up sharing state between > multiple systems, which introduces complexity and potential for failure. > Active/standby also keeps you honest by ensuring that you end up with > resiliency. > > > Is a pair of Firewalls in Routed mode performs better than in > > Transparent/Layer2 mode? > > you lose features in transparent mode, e.g. routing and a bunch of > others. There's no compelling reason to use it for most situations. > > > Regarding Firewalls mode, I know you can't use some firewall features > (such > > as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, > > you can make certain pair of interfaces transparent to your upstream and > > downstream and another pair of interfaces in layer3 mode for VPN, NAT > etc. > > > > Any comments, please? > > Keep as much traffic away from firewalls as possible. Keep your > configuration as simple as possible (this takes time and effort). If > you're using Juniper firewalls, keep each customer in an apply-group. > > Nick > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Yham wrote on 10/08/2020 19:53: Hello Gentlemen, We are redesigning the core network where we have - Edge routers peering BGP with internet providers and partners - Perimeter firewalls to secure north-south traffic Unless there's a specific policy objective which overrides any technical consideration, you may want to consider not putting firewalls inline like this, as they often introduce serious failure modes which are difficult to work around. Best case in a service provider environment, they should service only the addresses which need to be firewalled and should not be used as the default configuration for all traffic. I wanted to ask if there are the best practices when deploying the perimeter firewalls? Is Active/Active is better than Active/Standby HA model? No, active/active is troublesome - you end up sharing state between multiple systems, which introduces complexity and potential for failure. Active/standby also keeps you honest by ensuring that you end up with resiliency. Is a pair of Firewalls in Routed mode performs better than in Transparent/Layer2 mode? you lose features in transparent mode, e.g. routing and a bunch of others. There's no compelling reason to use it for most situations. Regarding Firewalls mode, I know you can't use some firewall features (such as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, you can make certain pair of interfaces transparent to your upstream and downstream and another pair of interfaces in layer3 mode for VPN, NAT etc. Any comments, please? Keep as much traffic away from firewalls as possible. Keep your configuration as simple as possible (this takes time and effort). If you're using Juniper firewalls, keep each customer in an apply-group. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls
Hello Gentlemen, We are redesigning the core network where we have - Edge routers peering BGP with internet providers and partners - Perimeter firewalls to secure north-south traffic - High-end core switches where all distribution switches connect. logical diagram: Internet providers/partners -> Edge routers -> Firewalls -> Core switches -> Distribution/Access switches We plan to use BGP(with bfd) from distribution all the way up to Edge routers and core network has to be highly available. I wanted to ask if there are the best practices when deploying the perimeter firewalls? Is Active/Active is better than Active/Standby HA model? Is a pair of Firewalls in Routed mode performs better than in Transparent/Layer2 mode? My thoughts On a pair of firewalls in Active/Active mode, 1) both uplinks/downlinks can be utilized with ECMP but I don't understand why its consider an advantage because regardless of having both links active, you can't oversubscribe because you want to make sure there is no impact when one of the firewalls goes down. 2) In fact, I could be wrong but i think A/A creates asymmetric flows that are difficult to troubleshoot. 3) however with A/A, I think the convergence can be faster depending on the underlying routing Regarding Firewalls mode, I know you can't use some firewall features (such as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, you can make certain pair of interfaces transparent to your upstream and downstream and another pair of interfaces in layer3 mode for VPN, NAT etc. Any comments, please? If you know of any good document on this very topic, please share it with me. Thanks Yham ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/