02/02/2018
E-Commerce
A design that must stay up
- Public face of an organization
- The place where downtime is incredibily harmful
- The place where budgets are approved\
Ultra Redundant, Ultra secure Firewall Design
- Only Method through layers is via servers
- Option of using different firewall vendors at different layers
- Supports virtual firewall using FWSM (Firewall Services Module) or ACE (Application controle engine) module
ASA / FWSM Service modes
- Routed mode (More common) allows the FWSM to divide subnets
- Transparent mode ( aka Bump-In-The-Wire) Makes the FWSM a cloacked device.
Server Load Balancing Options
- Three Cisco devices can do it:
- Content Services Switch ( CSS )
- Content Switching Module ( CSM )
- Application Control Engine ( ACE )
- Three Design Approachess for it:
- Router Mode
- Bridge Mode
- One/Two-ARM Mode
E-Commerce Connections and redundancy
- DNS Based Redundancy
- Different public address blocks assigned
- Public DNS assigned to both blocks
- Public DNS must detect failure
- Failover typically occurs in 5 – 10 minutes
- BGP Based Redundancy
- Same public address blocks assigned
- Both ISPS advertise prefix
- Firewall Support stateful failover
- Failover dependant on BGP latency
- Using Multiple Datacenters
- Ultimate in redundancy
- Feeds an active/active design
E-Commerce Firewall Design
- E-Commerce firewalls often drop directly onto the core layer
- Modular switches house service modules for multiple functions
- Multiple options exists for aggregation layer