Content Networking Fundamentals

Within a corporate headquarters location, you can design a data center to house internal corporate servers and public servers accessible from the Internet. The corporate data center consists of the Internet access demarcation point to the Internet service provider (ISP). You will require a router in order to peer with the ISP router to share Internet routing information. To secure the network, use a firewall to provide stateful flow inspection of incoming traffic destined to your groups of servers. Your server groups may include

• Public Internet Servers Public servers are available to anyone on the Internet. Your public servers may require initiating connections to the Internet for downloading software updates. They may also require connecting to internal resources, such as databases, e-mail, and storage servers.

• Extranet Servers Semi-private servers contain sites dedicated to providing services to partners or customers that require network segmentation from other less-secure server groups. Like the public servers, the extranet servers may require the initiation of connections to the Internet and to certain internal resources.

• Intranet Servers Private servers available only to internal corporate applications. Your public or extranet applications may require access to specific applications running on the intranet servers. In that case, you should locate the public databases, e-mail, storage, and file servers here for the public and extranet servers to access. Also, some of the private servers may require initiating connections to the Internet.

• Corporate Network Workstations and Servers You should locate corporate clients and servers that are not publicly accessible from the Internet on a separate segment. These segments require firewall filtering from the public servers as well as from the Internet. A second firewall is beneficial for this purpose, as illustrated in Figure 4-3. Workstations and servers in the corporate network must be able to initiate connections to the Internet and to all server groups discussed previously.

Note

For simplicity, the data center core is illustrated with only a single switch in Figure 4-3, but instead of using a single switch, you can use the highly available network core as illustrated in Figure 4-2. As such, you may enable most features in Figure 4-2 in this environment.

Figure 4-3 uses a Layer 3 core switch to provide VLAN capabilities in order to logically segment the groups of servers into VLANs. If you have a Firewall Service Modules (FWSM) in a Catalyst 6500 series core switch, you can apply filtering rules directly to the VLANs within the switch. Alternatively, you can trunk the VLANs from the Catalyst 6500 switch to the PIX firewall, where you can apply stateful filtering. The last option is to filter VLANs in the Catalyst 6500/7600 IOS using stateless ACLs, basic ACLs, reflexive ACLs, or CBAC as discussed previously. Other Layer 3 switches such as the Cisco 4500 and 3550 series switches that are smaller than the Catalyst 6500 are available for you to use in the data center core to provide similar VLAN routing and security capabilities within IOS.

Note

Enabling the IOS firewall feature set substantially increases the switch-processing load. Carefully evaluate whether your switch has the capacity to handle the traffic load before enabling any IOS firewall features.

You can also connect individual switches directly to the firewall on dedicated ports to achieve the same logical security design as illustrated previously in Figure 4-3. However, dedicated firewall ports are more expensive than using VLANs. Figure 4-4 illustrates how to connect the VLANs to the firewall directly.

Your organization's corporate clients and servers should reside within a corporate network segment. As Figures 4-3 and 4-4 suggest, a separate firewall for the corporate network is beneficial for providing additional security to the internal network. To manage the public servers, use a second management VLAN, with a direct link into the corporate network. Each server in the public and extranet VLANs requires a separate network interface with only limited management protocols enabled, such as SNMP and remote console services.

The Demilitarized Zone (DMZ) segment is available for transparent IPSs and IDSs. These devices should receive and process traffic before it is filtered on the firewall. IPSs and IDSs must receive non-filtered traffic in order to accurately inspect application traffic and block offending traffic. Traffic is blocked by the IPS or IDS appliances by configuring it to apply policy rules to firewalls, adjusting routing metrics advertised to the ISP, or actively spoofing and resetting incoming TCP connections directly. You must configure the public facing network interface of the IPS or IDS as a monitoring port and configure port mirroring on your DMZ switch. To manage these servers, you can install and configure another network port and attach it to an internal segment.

Sandwiching public servers between two different firewalls has the benefit of using firewalls from multiple vendors to secure internal resources. Because firewalls from different vendors rarely share the same security vulnerabilities, if an attacker compromises the first firewall, the second will protect the internal network from attacks. Figure 4-5 illustrates the public VLAN that is between two firewalls, instead of hanging off a single firewall with the rest of the VLANs in your network.

You can design a shared or dedicated web hosting data center in a similar fashion to the enterprise data center illustrated previously in Figure 4-3. However, in some dedicated hosting environments, you would want to give your customers full administrative access to the servers they lease. The fact that you would have numerous untrusted clients administering servers within your network introduces further security concerns. Although enterprise data center servers are publicly accessible, users often have access only to specific services such as HTTP on port 80, not full administrative rights of the server unless compromised by a hacker. For these types of insecure segments, you should use private VLANs to ensure that one computer cannot access another in the Layer 2 broadcast domain. Private VLANs enables server traffic to reach router ports only and block traffic originating from server ports destined to other server ports. For example, switches with private VLANs enabled do not broadcast an Address Resolution Protocol (ARP) request from one server to all other servers on the same broadcast domain (or VLAN, in this case). The switch forwards the ARP request only to switch ports you configure as promiscuous. Promiscuous ports receive the traffic from all the private ports. You should configure switch ports with routers connected as promiscuous.