1

I need to find a firewall that will give me 1 LAN port, and 5-7 DMZ ports.

I have a requirement to replace some FreeBSD systems that are used to run some testing equipment. It is essential that the DMZ ports cannot communicate with each other, but the LAN port can communicate with everyone. That way a user on the LAN can connect to the test systems, but the test systems are isolated entirely and cannot interfere with each other.

One of the DMZ's will be connected to a VMWare ESXi server, one to a standard server, and the rest to various types of equipment.

The lan port will be connected to the corporate LAN switch.

Sorry if i am a little vague, I am just trying to work all this out myself! Currently we have a FreeBSD configured, but the quad port NIC's are pretty expensive, and the PC itself is old, so i would prefer to replace it with a dedicate piece of kit which can do the same job, but more reliably! These test rigs are used all over the place, and get moved quite often, so i am aiming for Cisco kit for ease of configuration and reliability of the hardware itself.

Thanks

BParker
  • 297
  • 3
  • 16
  • Just so I'm 100% sure: You want 5-7 different DMZ zones? As in, 5-7 different subnets? – pauska Apr 21 '10 at 09:23
  • When I setup a "DMZ" I typically try to put each server or service in it's own subnet and make the firewall the default route for everything, rather than have every DMZ service in a single subnet. For instance, there is no reason why my FTP server should be able to ssh to my DNS server, or my web server send DNS traffic to my mail server. – chris Apr 26 '10 at 15:57

3 Answers3

3

One of the Cisco 55xx series ASA hardware firewalls should be what you're after.

You should probably have a good look through their various specifications and choose the one that gives you the right feature set. (It's difficult for me to do this, not knowing your exact set up currently). Also choose one which will give you room to expand in the future.

If I had to guess, I'd say to choose the 5520 or 5540 models..

If you want High Availability, you'll need 2 of these, that support Active/Standby configuration. This is supported by models 5520 and above.

You might be able to save some money by having the DMZ ports on a VLAN which is then distributed by a managed switch. That way, you could trunk multiple DMZs traffic over a single port, with a virtual interface (You could do this on your FreeBSD box too, might save you having to have a quad port server NIC.) [YMMV on this bit though]

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • And this was also my suggestion, I just wanted to get confirmation about 5-7 different DMZ zones. +1 – pauska Apr 21 '10 at 09:33
  • We use Cisco Cat65's with ACEs - but that's probably overkill... – Chopper3 Apr 21 '10 at 13:37
  • +1 on ASA's ... although i would start looking at the 5510 (possibly with Security+ although with what he is describing it doesn't seem that is needed) especially if price is an issue. – Zypher Apr 21 '10 at 16:15
  • 1
    @Chopper: Showoff :) – Zypher Apr 21 '10 at 16:15
  • @Zypher, I know, I'm lucky - I get to fix problems with a chequebook, I love coming on here and seeing how smarter guys than me do the same using their brains :) – Chopper3 Apr 21 '10 at 18:03
  • @Chopper: yep must be nice! I'm off to build a couple of VMs on my new 12 core (24 with hyperthreading) 48GB esx box ... >:-D – Zypher Apr 21 '10 at 18:41
  • @Zypher, I've been playing with a HP DL980 G7 recently - 8 x 8-core (+HT), 1TB memory! Nice ESX4 box :) – Chopper3 Apr 21 '10 at 19:12
  • @Chopper3 You're lucky. That's a beast of a box. – Tom O'Connor Apr 21 '10 at 19:55
  • Erik: Yes, definately 5-7 DMZ's. Each DMZ needs to be completely isolated from the others, but contactable from workstations on the corporate lan. – BParker Apr 23 '10 at 08:06
  • Currently the BSD box we are using had a quad port nic, the motherboards internal nic, and two standard single port nic's. The problem is that the quad ports are expensive. I was hoping that Cisco would do a firewall I could configure to have say 8 ports, one for the lan, the rest as isolated DMZ's. If it is indeed possible to have a single port on the BSD box for the corp lan, and another for the DMZ's, agregated but split out at a managed switch, that would be simpler and cheaper. – BParker Apr 23 '10 at 08:06
  • if anyone can point out a few how-to's i would be really grateful! – BParker Apr 23 '10 at 08:07
2

I'll elaborate on what Kyle's describing:

You need a firewall that understands 802.1q vlan tagging. Ideally it will have at least one gigabit interface.

You need a switch that also speaks 802.1q vlan tagging.

Now -- configure each of your DMZs and associate each DMZ with a different 802.1q tag, lets say the tags are 10, 20, 30, and 40.

Now, add all those tags to one interface on the firewall (thus creating a "VLAN trunk") and run that "trunk" to a switch that also has those VLAN tags associated with that port.

Now, put several other interfaces untagged on each vlan and connect those untagged ports to the host computers.

Now your firewall has exclusive access to all the tags and can enforce ACLs that prevent one subnet from accessing any other DMZ subnet.

chris
  • 11,944
  • 6
  • 42
  • 51
  • I think this is why some vendors don't support 802.1q tags on their firewalls. If I've got a firewall with a gig interface that supports 802.1q, I don't really need more than a port or two. So long as I *never* expose the trunk to a non-network device, I'm not really worried about tag hopping antics. – chris Apr 21 '10 at 16:41
  • off the top of their heads, does anyone know if BSD's ipfw support 802.1q tagging? if so, can you point me in the direction of a good how to? – BParker Apr 23 '10 at 08:02
  • I don't think it is IPFW per se that supports 802.1q tagging; it is that you create several virtual interfaces each with their own tag, and then create policies between these interfaces (and hence the vlans). the vlan man page and http://people.freebsd.org/~arved/vlan/vlan_en.html discuss this. – chris Apr 26 '10 at 04:35
0

Depending on your security needs, if you have a good modern switch you can make each dmz a vlan and just use one port, and then have the rules separating each dmz on the router.

There are arguments against this though, there used to be ways to bypass vlans (vlan hopping), but I think there is nothing current. Also, a misconfiguration of the switch could lead to a security hole.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • I'n not too borthed about vlan hopping, since this is in a controlled environment. Can you give me any further detail on how to set this up the way you describe? – BParker Apr 23 '10 at 08:01