Edge and DMZ infrastruture - Your input

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
S

shoguneye

Member
Jan 21, 2016
38
6
8
61
Hi all, I'm putting some gear up in a Colo for an internet facing application I know this is very high level, just looking for some initial feedback.

Can you please comment and ideally make a recommendation on the overall design and any hardware (rackable).

Initially I'll have a 100 Mbps connection, maybe two and if things go well will want to plan for 1 Gb...
Traffic basically SSL and limited VPN
I'll want IPS and potentially IDS intraDMZ

Screening router - BGP / NAT and traffic cop to cut down on the F/W workload - Overkill?
F/W - Looking at Palo Alto because of their superior Application Management capabilities although I like what Fortinet has to offer but see PA as a leader on the App side.
Switch Layer - 1 Gb ports are fine for the hosts but would want 10 Gb upload capability, stackable. would prefer an option with routing capabilities.
Hosts
I might get a dedicated small F/W for the authentication backend (dedicated to the internet facing clients with no connectivity to the enterprise) to provide an additional layer of protection but this might be provided for with the first F/W depending on the numbers of interfaces and zoning
Interested in micro-segmentation but at this stage this is not a must and I'm constrained by the technology and may not see the benefit.
If the costs are right I'll also add an SSL accelerator and Load Balancer (might be a feature of the SSL acc)
If the costs are right I'll also add Taps to capture and analyze

Cheers
 
chilipepperz

chilipepperz

Active Member
Mar 17, 2016
212
64
28
54
Not sure if I have a similar setup or I am doing something different. But I have a web app (http(s), SSH, ftp, OpenVPN are main services externally) and NAT.

My idea, that might be similar but smaller than your question, is to colo server to run the app. I'd stick a pfSense in front, and firewall off everything but the ports for the above on WAN. NAT from pfSense to downstream server instances at least for IPv4 (since I don't know if you need it on IPv6). I'd use HAProxy for SSL offload and load balancing.

I was going to look at PAN firewalls but I think for my application there's little sitting behind outside of that.

It sounds like you're thinking bigger with more varied use cases? Maybe share what you're trying to do?
 
S

shoguneye

Member
Jan 21, 2016
38
6
8
61
chilipepperz said:
Not sure if I have a similar setup or I am doing something different. But I have a web app (http(s), SSH, ftp, OpenVPN are main services externally) and NAT.

My idea, that might be similar but smaller than your question, is to colo server to run the app. I'd stick a pfSense in front, and firewall off everything but the ports for the above on WAN. NAT from pfSense to downstream server instances at least for IPv4 (since I don't know if you need it on IPv6). I'd use HAProxy for SSL offload and load balancing.

I was going to look at PAN firewalls but I think for my application there's little sitting behind outside of that.

It sounds like you're thinking bigger with more varied use cases? Maybe share what you're trying to do?
Click to expand...
Hi, thanks for your input. My use case is actually quite simple, its just a matter of profiling the s/w and h/w that would best suite the needs. I've heard of pfSense and quite honestly am not sure how that stacks up to some of the bigger names but will definitely take a look, same goes for HAProxy. I've been looking at some appliances, Barracuda and Kemp for those capabilities but if the demand can be met with compute at the backend and DNS based round robin then I may forgo the initial expense and bolt on later if performance demands it.
IP4 is fine for me although it has some interesting security characteristics I'd be interested in but maybe not Phase I. It does make the network scan a whole different ball game.
 
A

abundantmussel

Member
Jan 30, 2016
36
7
8
37
I run pfsense in my Colo with all wans on there and then I use haproxy behind that doing SSL offloading. Highly recommended haproxy we use it for almost everything, proxying, load balancing even for mysql.
 
S

shoguneye

Member
Jan 21, 2016
38
6
8
61
abundantmussel said:
I run pfsense in my Colo with all wans on there and then I use haproxy behind that doing SSL offloading. Highly recommended haproxy we use it for almost everything, proxying, load balancing even for mysql.
Click to expand...
Thanks, so the you use the pfSense as a router/f/w on the edge, that saves me a dedicated device and 1 u and then just a matter of defining the h/w profile. Are you happy with the reporting capabilities and throughput?
 
A

abundantmussel

Member
Jan 30, 2016
36
7
8
37
Yes pfsense on the edge and all wan interfaces defined on it. Then they are passed via iptable rules to various haproxies. I find the reporting to be good if you turn on logging on the rules and then send them to an elk server like I do, from there I have created dashboards for all rules. We have run our system on this setup with a few other safe guards and tweaks and has been running without issue for 4 years or so
 
S

shoguneye

Member
Jan 21, 2016
38
6
8
61
abundantmussel said:
Yes pfsense on the edge and all wan interfaces defined on it. Then they are passed via iptable rules to various haproxies. I find the reporting to be good if you turn on logging on the rules and then send them to an elk server like I do, from there I have created dashboards for all rules. We have run our system on this setup with a few other safe guards and tweaks and has been running without issue for 4 years or so
Click to expand...
I'll have to up my Linux game. Looks like ELK has some potential here as I'm looking at a SIEM implementation and want to correlate meaningful events into action items.
 
You must log in or register to reply here.
Top Bottom