Hi all, I'm putting some gear up in a Colo for an internet facing application I know this is very high level, just looking for some initial feedback.
Can you please comment and ideally make a recommendation on the overall design and any hardware (rackable).
Initially I'll have a 100 Mbps connection, maybe two and if things go well will want to plan for 1 Gb...
Traffic basically SSL and limited VPN
I'll want IPS and potentially IDS intraDMZ
Screening router - BGP / NAT and traffic cop to cut down on the F/W workload - Overkill?
F/W - Looking at Palo Alto because of their superior Application Management capabilities although I like what Fortinet has to offer but see PA as a leader on the App side.
Switch Layer - 1 Gb ports are fine for the hosts but would want 10 Gb upload capability, stackable. would prefer an option with routing capabilities.
Hosts
I might get a dedicated small F/W for the authentication backend (dedicated to the internet facing clients with no connectivity to the enterprise) to provide an additional layer of protection but this might be provided for with the first F/W depending on the numbers of interfaces and zoning
Interested in micro-segmentation but at this stage this is not a must and I'm constrained by the technology and may not see the benefit.
If the costs are right I'll also add an SSL accelerator and Load Balancer (might be a feature of the SSL acc)
If the costs are right I'll also add Taps to capture and analyze
Cheers
Can you please comment and ideally make a recommendation on the overall design and any hardware (rackable).
Initially I'll have a 100 Mbps connection, maybe two and if things go well will want to plan for 1 Gb...
Traffic basically SSL and limited VPN
I'll want IPS and potentially IDS intraDMZ
Screening router - BGP / NAT and traffic cop to cut down on the F/W workload - Overkill?
F/W - Looking at Palo Alto because of their superior Application Management capabilities although I like what Fortinet has to offer but see PA as a leader on the App side.
Switch Layer - 1 Gb ports are fine for the hosts but would want 10 Gb upload capability, stackable. would prefer an option with routing capabilities.
Hosts
I might get a dedicated small F/W for the authentication backend (dedicated to the internet facing clients with no connectivity to the enterprise) to provide an additional layer of protection but this might be provided for with the first F/W depending on the numbers of interfaces and zoning
Interested in micro-segmentation but at this stage this is not a must and I'm constrained by the technology and may not see the benefit.
If the costs are right I'll also add an SSL accelerator and Load Balancer (might be a feature of the SSL acc)
If the costs are right I'll also add Taps to capture and analyze
Cheers