While the concept of firewalling all the way down to the Access Layer may seem a bit unorthodox, and is certainly not a practice that would be suitable for all occasions based on a number of different reasons, the question is, could it be a feasible design for a network? In short, it absolutely can be. That is not to say it wouldn’t take some planning and engineering work up front, but if we were to look at any secure facility that is of worth throughout history we would find that there was a significant amount of engineering and planning that took place before any construction ever started happening. Why should the foundations of IT infrastructure that are going to support any legitimate business be any different? The truth is that they should not be. However, from my experience, I have found that a comprehensive and holistic view of the IT infrastructure in its entirety is actually something that is quite rare among organizations. Typically, it usually is a patchwork of separate teams who rarely collaborate with each other on the best way to achieve a particular goal, but I digress…..
So the questions that need to be answered before we even hop into what the architectural aspect of such a design become:
1. Firewalls are expensive. How could an organization possibly be able to afford that many firewalled ports?
Answer: The truth is that unless you’ve bound yourself to a particular vendor or technology, there are a number of very good options on the market that can meet this constraint. In some cases the price point for firewalled ports VS non-firewalled ports could actually work out to be less than your typical switch port - if you have an open mind.
2. I don’t know of any firewalls that don’t have the port density that switches do. Are there firewalls that do?
Answer: While I will say that high port density firewalls aren’t going to be part of your typical firewall portfolio, they are out there.Vendors such as Juniper Networks and Fortinet currently have products in their portfolio that can fit the bill. Even Cisco had a product in their FWSM (Firewall Services Module) for the 6500 that gave your Catalyst switch the ability to firewall hundreds of ports.
3. Firewalls add a significant amount of overhead in order for me to be able to manage polices. How could I possibly manage a large environment with firewalls all over the place?
Answer: Central management for products is much more common than it used to be. Many vendors are even starting to offer the ability to manage their products via the cloud as well or through an on premises device. One of the features that these types usually have is the ability to create device templates and push out policies to device groups. In some situations, this could even be faster than making changes in a switch environment.
4. Firewalls are not as fast as switches. Are there firewalls that can give me the throughput and performance that I need?
Answer: Absolutely.Your typical user isn’t going to be in a switching environment where they need to have nano-second latency like on Wall Street. Many of the firewalls that you see today only have a few µ seconds of latency added for processing firewalled traffic.That is 1/1,000,000ths of a second to process a firewall policy. Typically, when you measure ping latency it’s only going to be in the 1/1,000ths of a second. It’s pretty quick and impressive, to say the least.
Based on those answers, we start to see that being able to architect a secure network solution where security is at the forefront of the architecture and design has become much more feasible than it once was. However, it comes at the cost of being able to allocate the time and resources up front and get all of the required teams collaboratively meeting with each other in order for such a design to be successful. I’ll discuss more of the architectural components of making such a design a bit more of a reality in my next blog.