DMZ redundancy
How do you achieve DMZ redundancy if you have dual routers to multiple ISPs? Where would you place the DMZ?
I imagine you could stick the DMZ on either of the routers, and configure a L3 link between them and let your routing protocol route between them. Configure the ACL's/policies outbound on those interfaces.
I guess another way would be to place the DMZ in between the two routers.
Obviously you're going to need to configure BGP (I think I've managed to get that bit done).
What's the best way to implement DMZ security anyway? Zone Based Firewall? How complicated would that be for someone who has never configured a firewall before?
Thanks.
I imagine you could stick the DMZ on either of the routers, and configure a L3 link between them and let your routing protocol route between them. Configure the ACL's/policies outbound on those interfaces.
I guess another way would be to place the DMZ in between the two routers.
Obviously you're going to need to configure BGP (I think I've managed to get that bit done).
What's the best way to implement DMZ security anyway? Zone Based Firewall? How complicated would that be for someone who has never configured a firewall before?
Thanks.
Comments
DMZ security can be implemented a couple ways. One is to use NAT and a private IP range and two is to just use straight up public IP addresses. Personally, I like keeping it all public IPs for simplicity sake. As far as actual firewall rules... You'll either need a router with zone based firewall on it, or an actual firewall (like a Cisco ASA). You have two sets of rules, DMZ <-> Outside, DMZ <-> Inside.
If it were me, I would get two ASAs configure them in a cluster and create one DMZ. Hopefully this helps! Let me know if you have any other questions!
Here's what my mind spilled out on paper:
I'm under pressure to get this university project finished; so much to do so little time. I still need to configure site-to-site VPNs which seems to be over 9000 commands.
How about this.... stick a switch on one of the routers and call that the DMZ. Implement zone based policies on the router. Have a L3 link between routers, so if the other ISP goes down traffic can still get to devices within the DMZ.
Anything wrong with that?
1) Inside users should be able to access internet
2) Outside users should be able to access the DMZ
I've never done this before so I apologise right now if what I've done is incorrect. I'm looking for some feedback on whether the configuration is valid or not.
interface FastEthernet0/0
! This is the interface connecting to the inside network
zone-member security TRUSTED
interface FastEthernet0/1
! This is the interface connecting to the internet
zone-member security INTERNET
interface FastEthernet1/0
! This is the interface connecting to the DMZ
zone-member security DMZ
class-map type inspect match-any INTERNET_TO_DMZ
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any TRUSTED_TO_INTERNET
match protocol icmp
match protocol tcp
match protocol udp
!
!
policy-map type inspect INTERNET_TO_DMZ
class type inspect INTERNET_TO_DMZ
inspect
class class-default
policy-map type inspect TRUSTED_TO_INTERNET
class type inspect TRUSTED_TO_INTERNET
inspect
class class-default
!
zone security TRUSTED
zone security INTERNET
zone security DMZ
zone-pair security TRUSTED_TO_INTERNET source TRUSTED destination INTERNET
service-policy type inspect TRUSTED_TO_INTERNET
zone-pair security INTERNET_TO_DMZ source INTERNET destination DMZ
service-policy type inspect INTERNET_TO_DMZ
Thank you.
Edit: So far so good. But how do verify inside traffic to the DMZ is being dropped? I guess since there is no pair it wont show up when I enter the show policy-map type inspect zone-pair command... but the pings seem to be dropped as desired.