DMZ redundancy
How do you achieve DMZ redundancy if you have dual routers to multiple ISPs? Where would you place the DMZ?
I imagine you could stick the DMZ on either of the routers, and configure a L3 link between them and let your routing protocol route between them. Configure the ACL's/policies outbound on those interfaces.
I guess another way would be to place the DMZ in between the two routers.
Obviously you're going to need to configure BGP (I think I've managed to get that bit done).
What's the best way to implement DMZ security anyway? Zone Based Firewall? How complicated would that be for someone who has never configured a firewall before?
Thanks.
I imagine you could stick the DMZ on either of the routers, and configure a L3 link between them and let your routing protocol route between them. Configure the ACL's/policies outbound on those interfaces.
I guess another way would be to place the DMZ in between the two routers.
Obviously you're going to need to configure BGP (I think I've managed to get that bit done).
What's the best way to implement DMZ security anyway? Zone Based Firewall? How complicated would that be for someone who has never configured a firewall before?
Thanks.
Comments
-
f0rgiv3n
Member Posts: 598 ■■■■□□□□□□
What I've normally seen is one DMZ and two routers/firewalls. These can be redundant in quite a few different ways: HSRP,GLBP,VRRP or clustering (firewalls typically do this). Off the top of my head I can't think of any other method. You don't want to have two DMZ because that would just be confusing by having two subnets with two routers/firewalls and two different sets of rules. There might be other reasons for having two DMZs but not for the sole purpose of redundancy.
DMZ security can be implemented a couple ways. One is to use NAT and a private IP range and two is to just use straight up public IP addresses. Personally, I like keeping it all public IPs for simplicity sake. As far as actual firewall rules... You'll either need a router with zone based firewall on it, or an actual firewall (like a Cisco ASA). You have two sets of rules, DMZ <-> Outside, DMZ <-> Inside.
If it were me, I would get two ASAs configure them in a cluster and create one DMZ. Hopefully this helps! Let me know if you have any other questions!
Here's what my mind spilled out on paper:
-
Eildor
Member Posts: 444
Ah man, I seriously need to learn some security!
I'm under pressure to get this university project finished; so much to do so little time. I still need to configure site-to-site VPNs which seems to be over 9000 commands.
How about this.... stick a switch on one of the routers and call that the DMZ. Implement zone based policies on the router. Have a L3 link between routers, so if the other ISP goes down traffic can still get to devices within the DMZ.
Anything wrong with that? -
Eildor
Member Posts: 444
Here is what I want to configure:
1) Inside users should be able to access internet
2) Outside users should be able to access the DMZ
I've never done this before so I apologise right now if what I've done is incorrect. I'm looking for some feedback on whether the configuration is valid or not.
interface FastEthernet0/0
! This is the interface connecting to the inside network
zone-member security TRUSTED
interface FastEthernet0/1
! This is the interface connecting to the internet
zone-member security INTERNET
interface FastEthernet1/0
! This is the interface connecting to the DMZ
zone-member security DMZ
class-map type inspect match-any INTERNET_TO_DMZ
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any TRUSTED_TO_INTERNET
match protocol icmp
match protocol tcp
match protocol udp
!
!
policy-map type inspect INTERNET_TO_DMZ
class type inspect INTERNET_TO_DMZ
inspect
class class-default
policy-map type inspect TRUSTED_TO_INTERNET
class type inspect TRUSTED_TO_INTERNET
inspect
class class-default
!
zone security TRUSTED
zone security INTERNET
zone security DMZ
zone-pair security TRUSTED_TO_INTERNET source TRUSTED destination INTERNET
service-policy type inspect TRUSTED_TO_INTERNET
zone-pair security INTERNET_TO_DMZ source INTERNET destination DMZ
service-policy type inspect INTERNET_TO_DMZ
Thank you. -
networker050184
Mod Posts: 11,962 Mod
What happens when you test it out? Does it work? If not what isn't working?An expert is a man who has made all the mistakes which can be made. -
xXErebuS
Member Posts: 230
I would recommend purchasing a stateful firewall and using an external switch so ISP1 to switch ISP2 to switch switch to firewall and then the DMZs are on the firewall.
-
Eildor
Member Posts: 444
I'm testing it out as we speak. It seems I can access HTTP, HTTPS and DNS from the internet to the DMZ... so looks like that part is ok.
Edit: So far so good. But how do verify inside traffic to the DMZ is being dropped? I guess since there is no pair it wont show up when I enter the show policy-map type inspect zone-pair command... but the pings seem to be dropped as desired. -
xXErebuS
Member Posts: 230
If they are members of different zones (which appears they are) then the default action is to block; only members of the same zone; not in any zone; self zone are permitted by default
-
Eildor
Member Posts: 444
I thought so, but I was wondering whether there were any counters for blocked traffic. Doesn't make a difference either way though, the traffic is being blocked. Cheers.
