A design that must stay up

  • Public face of an organization
  • The place where downtime is incredibily harmful
  • The place where budgets are approved\

Ultra Redundant, Ultra secure Firewall Design

  • Only Method through layers is via servers
  • Option of using different firewall vendors at different layers
  • Supports virtual firewall using FWSM (Firewall Services Module) or ACE (Application controle engine) module

ASA / FWSM Service modes

  • Routed mode (More common) allows the FWSM to divide subnets
  • Transparent mode ( aka Bump-In-The-Wire) Makes the FWSM a cloacked device.

Server Load Balancing Options

  • Three Cisco devices can do it:
    • Content Services Switch ( CSS )
    • Content Switching Module ( CSM )
    • Application Control Engine ( ACE )
  • Three Design Approachess for it:
    • Router Mode
    • Bridge Mode
    • One/Two-ARM Mode

E-Commerce Connections and redundancy

  • DNS Based Redundancy
    • Different public address blocks assigned
    • Public DNS assigned to both blocks
    • Public DNS must detect failure
    • Failover typically occurs in 5 – 10 minutes
  • BGP Based Redundancy
    • Same public address blocks assigned
    • Both ISPS advertise prefix
    • Firewall Support stateful failover
    • Failover dependant on BGP latency
  • Using Multiple Datacenters
    • Ultimate in redundancy
    • Feeds an active/active design

E-Commerce Firewall Design

  • E-Commerce firewalls often drop directly onto the core layer
  • Modular switches house service modules for multiple functions
  • Multiple options exists for aggregation layer




Tags:, , ,

Add a Comment

Your email address will not be published.

Reload Image