Ideas about large network / HA on the inside

[corge]

So....I want to hear some ideas with regard to changing things around on a network. I have one internet connection ( I cannot get two ). I know I will have a single point of failure at the edge and I'm ok with that because I can buy two of something to where I at least have a replacement.

I have an OC line, so an ASA at the edge to handle basic ACL rules and let it get hammered first. I'm not looking for the ASA to be a firewall, because friends don't let friends use ASA's for firewalls. It does ACL only. Then, it will come into two routers maybe or two edge firewalls. Then inside the edge firewalls into a DMZ and then to two external firewalls, then to internal core etc....

I have a single point of failure, I can't change that, but looking for the ideas for HA inside of that.

If you have questions, please feel free to ask and I will answer and update throughout the day. I will answer what I can....

 

[jjeff1]

I'm not sure why the ASA is a horrible solution for you. Cisco sells a lot of them for a reason.

Your typical redundant Internet consists of...

2 Internet connections to 2 different routers
Routers each connect to 2 switches
2 switches each connect to 2 firewalls
2 firewalls connect internally to 2 inside (or more switches)

Scratch a router for you since you only have one Internet connection

Internally you'll want to consider some type of meshed environment, such as HP's IRF.

Really though, the difficulty is in the execution and ongoing maintenance. You are far, far more likely to experience a failure due to human error than random equipment failing. Yes, that error includes not thoroughly testing your implementation such that it breaks down the road because of something you didn't think of.

To really build a HA environment, you need to look at everything, and attempt to calculate the cost. The cost of a spare firewall or switch is insignificant next to the actual costs of running a truly HA environment.

You'll need network monitoring, change management, a development environment, a test environment, and a testing suite. If you have cowboy coders and engineers, you have to get them to realize that they can't just poke into the production server at 7pm on a Tuesday to "make one little change." Then you need management that understand the need for these rules, and is able to fire people who just won't conform to the new (slow, bureaucratic) way of doing things.

Everything, everything has to be documented, then tested, then rolled into production. If you're very smart, you'll have a promotion system like buildmaster (http://inedo.com/landing/buildmaster) and use that to develop scripts such that what you push to production will be identical to what you did your testing on.

 

[Jay_2]

ASA is perfect as a firewall.... not sure why you would think anything else really.

I would use 2 cisco routers, HSRP and policy based routing all behind an ASA.

 

[cyr0n_k0r]

I'm not looking for the ASA to be a firewall, because friends don't let friends use ASA's for firewalls.

That has to be one of the dumbest things I've heard around here in a long time.
Cisco ASA's are their flagship firewall/security product.
I'd be interested to hear what you WOULD put behind this pathetic ASA as a "real" firewall.

 

[/usr/home]

That has to be one of the dumbest things I've heard around here in a long time.
Cisco ASA's are their flagship firewall/security product.
I'd be interested to hear what you WOULD put behind this pathetic ASA as a "real" firewall.

A Dlink router

 

[cyr0n_k0r]

A Dlink router

I'm sure it's something with a nice pretty GUI.

 

[Shockey]

I'm sure it's something with a nice pretty GUI.

Because friend don't let friend use CLI

Sorry i had too

 

[corrupted223]

We have multiple redundant links coming into our building, as far as I know we have at least 8 connections coming in. The two I set up are 10 gig links and they both go into ASA's 5580's. Behind those I set up 10 gig Arista switches into Palo Alto 4060's to stacked 3750's to our Nexus 7000's.
I also set up several other networks at our regional centers with the ASA 5500 series (forget what models) and these are running the firewall feature sets. No issues with them at all.
Sounds to me like you need to start where jeff1 suggested...with management and implementing the tools to build this out before you jump in.

 

[jadams]

I love how people seem to get so offended as if their middle names are Cisco when someone doesnt like their products.

I replaced an ASA with pfsense

*GASP*

And couldnt have been happier....

 

[cyr0n_k0r]

Not liking Cisco has nothing to do with it. If you don't like Cisco because you are a Juniper person that is fine too. But saying that the ASA isn't a "real" firewall is a very ignorant statement.

 

[mattjw916]

Not liking Cisco has nothing to do with it. If you don't like Cisco because you are a Juniper person that is fine too. But saying that the ASA isn't a "real" firewall is a very ignorant statement.

this...

if you don't like Cisco ASA try out Checkpoints... then you'll truly understand what a shitbox firewall looks like

 

[corge]

Not liking Cisco has nothing to do with it. If you don't like Cisco because you are a Juniper person that is fine too. But saying that the ASA isn't a "real" firewall is a very ignorant statement.

I'm not a Juniper person; I've never used Juniper equipment. However, the ASA will ONLY be used for ACL (accept/deny) purposes. There are people that really like the ASA's for firewalling and those that don't. I don't care for them in that regard. Bose makes speakers and people love them. I'm in the audiophile group and can't stand them...so friends don't let friends buy Bose.

This may have been the wrong place to question this overall because I can't give much detail at all about this.

 

[corrupted223]

As far as firewalls go, I have had really good results with the Palo Alto units. If you have 10gig connections they are one of the only wireline speed firewalls that you can purchase. And the support is second to none.

 

[mattjw916]

I'm not a Juniper person; I've never used Juniper equipment. However, the ASA will ONLY be used for ACL (accept/deny) purposes. There are people that really like the ASA's for firewalling and those that don't. I don't care for them in that regard. Bose makes speakers and people love them. I'm in the audiophile group and can't stand them...so friends don't let friends buy Bose.

This may have been the wrong place to question this overall because I can't give much detail at all about this.

Sorry but your comparison is crap... Cisco isn't some mediocre speaker company with a big marketing budget or even anything remotely resembling that.

Friends don't let friends listen to rubbish unqualified opinions about hardware they probably don't even fully understand how to use...

 

[corge]

mattjw, you're right, you win. Congratulations.

 

[jadams]

mattjw, you're right, you win. Congratulations.

 

[Berg0]

What makes an ASA so poor in your opinion? They're abit on the udnerpowered side when you compare real world performance to what your Cisco rep will tell you to buy it (or so I've found, but they aren't bad at all. ASDM is kind of annoying. Are you upset because it doesn't do IDS/IPS without the AIP-SSM?
I'm admitedly a bit rusty, maybe I'm missing something, I've been using Juniper the last number of years.

 

[TCM]

However, the ASA will ONLY be used for ACL (accept/deny) purposes. [and not as a firewall]

Erm, maybe I'm getting old, so help me here.

In your thoughts, what is the difference between a firewall and a "device implementing ACLs"?

 

[Berg0]

Erm, maybe I'm getting old, so help me here.

In your thoughts, what is the difference between a firewall and a "device implementing ACLs"?

My guess in the post above yours is he's upset about IDS/IPS, I had the same thought as you.

 

[mattjw916]

Erm, maybe I'm getting old, so help me here.

In your thoughts, what is the difference between a firewall and a "device implementing ACLs"?

The platform you are doing it on. A "firewall" like an ASA has deep packet inspection capabilities and is generally more suited to such functions than say an IOS router. Also the connection state information for all traffic passing through the firewall is monitored which reduces the potential for DOS attacks and numerous other low level network type attacks like SYN flooding for example.

However modern routers from the likes of Cisco, and others I'm assuming, have advanced features that also enable it to perform a lot of the same functions that modern firewalls can up to and including deep packet inspection, IPS/IDS inspection, etc blurring the lines between the devices.

That said, routers and firewalls are still distinctly difference devices running different code under the covers on hardware that is suited to different roles. You wouldn't/can't terminate an OC-3 on a firewall or use it to peer with a neighboring AS via BGP. You also wouldn't necessarily want a router to keep a full internet BGP table while performing IPS and deep packet inspection controlling traffic to/from a Websense server while running QoS and a zone-based firewall at the same time. While you probably could in the last case, would you really want to?