Campus Network Design - Firewalls
I am designing a campus network, and the design looks like this:
LINX is The London Internet Exchange and JANET is Joint Academic Network.
My goal is an almost-fully redundant with high availability, because it will have to support about 15k people, including academic staff, administrative staff and students. I have read some documents in the process , but I am still not sure about some aspects.
I want to dedicate this one to firewalls: what are the driving factors in deciding to employ a dedicated firewall, instead of an embedded firewall in the border router? From what I can see, an embedded firewall has these advantages:
- Easier to maintain
- Better integration
- One less hop
- Less space requirement
- Cheaper
Dedicated firewall has the advantage of being modular.
Is there anything else? What am I missing?
Enterprise Systems Administrator/Architect here. I would never design a network of this scale to use anything but dedicated appliances for each core task: routing, switching, firewall, load balancing. It's simply bad practice to do otherwise. Now, there's up and coming products like VMware's NSX that seek to virtualize this infrastructure down to commodity hardware (and usually, less of it), and that's fine. Intriguing, even. But even then, each virtual appliance has its job.
I'll hit on the major reasons why these are kept separate:
- As @Massimo said, you simply don't get the functionality out of combo devices; they're going to lose out on the features you need to properly optimize your design.
- This provides a smaller attack surface per unit: if some critical exploit exists in the edge router, do you want that to be the hole an attacker uses to gain access to the firewall?
- It simplifies management. It's tempting to think combining makes managing easier, but that's not usually true. What if I have a NetSec team managing firewall policies and an Infrastructure team handling routing? Now I have to properly set fine-grained ACLs on the combo devices to ensure they can each get to what they need to, and nothing else. Additionally, combo devices tend to have less well-planned interfaces, especially for large deployments (I'm looking at you, SonicWALL).
- Infrastructural placement needs to be flexible. With combo devices, I'm pretty much stuck with a static layout: for every one I'm deploying, I've got a router and a firewall, where maybe I really only wanted a firewall. Sure, I can turn the routing features off, but that leads to the point above about simple management. Additionally, I see a lot of designs trying to load balance everything, when really you're often better off load balancing separately in zones, as there's some stuff that should pass through, and sometimes you hurt redundancy or resiliency by introducing some components at junctions that don't need them. There's other examples of this, but load balancers are easy to pick on.
- Combo devices can get overloaded more easily. When thinking about network appliances, you have to consider the backplane: can that combo router/firewall/load balancer handle the throughput being thrown at it? Dedicated appliances are going to generally fare better.
Hope that helps. Good luck with your network. If you have further questions, post away (separate from this post) and I'll try to catch them. Of course, there's plenty of clever humans about who can answer just as well, or hopefully better. Ciao!
While routers and firewalls overlap quite a bit, they have entirely different purposes; thus, routers don't usually excel at firewalling, and firewalls can't usually do much more routing than moving packets from an interface to another one; this is the main reason to use distinct devices for the two roles.
Another reason is that firewalls usually only have Ethernet interfaces, relying on a proper router to connect to different media, like fiber or DSL; your ISPs' connections will most likely be provided on such media, thus routers will be needed anyway to terminate them.
You said you need failover both for routing and firewalling. High-end routers can provide load balancing and failover across multiple devices and multiple ISP connections; while firewalls have basic routing capabilities, they usually don't perform such high-end routing functions. The reverse is true for routers acting as firewalls: they are usually quite limited when compared to real high-end firewalls.