In an age where people think network security, they see access-lists, firewalls, IPS and other appliances to assist, the resiliency of the network seems to have faded into the darkness.

So many times the security of the network devices, or the access into the network is laid out in such a way that should one of those devices fail, the network is down.  In this case, no one even attacked you and you are in a spot where you must route around the failed security device, and with concern for uptime, you may do it in a manner that is far less secure than if you had never had the device in the first place.  Why?  Usually because you are trying to patch the hole quickly, and inadvertently leave a security hole, which, if you had never owned the device, you would have thought through and secured this method of connection.  These holes commonly show up as missing lines in the ACLs due to IP schema changes, or a routing issue that is now bypassing more of your security than you intended.


The solutions are numerous, but when developing a solution there are always the three “P”s that must work together.

Performance – How well will the solution work should there be a failure, how fast can it be implemented and how much will the reduced  performance cost in terms of business.

Probability – How likely is it that there will be a failure of this device given its own internal redundancy

Price – Do I need to explain this one?


So the obvious answer, is that if price weren’t a factor, buy two of everything have two circuits from two providers, bring in power from two power grids, have two cores switches, each with two fibers to redundant distribution layer, to redundant access layer to servers with redundant NICs and vmware to move all of the servers to another diversley geo-located site should this site get destroyed.


More likely you should look at ways to, within a budget, mitigate the consequences of a failure.  Let’s say you have an Inline web filter that is going up to a pair of Cisco ASAs.  Well, your inline web filter is a single point of failure sitting in front of a redundant solution.  So what do you do if you can’t afford another webfilter and need to know that should it fail you can still maintain business.

First – make sure you keep your warranty up on the web filter and have fast replacement.  This doesn’t cost nearly what a second webfilter would, and reduces your performance risk from an outage time perspective.

Second – Design with this in mind.  See if you can use your webfilter a different way.  Maybe as WCCP where should it go down, you can fail open. If you must stay inline, assume it will fail closed (even if it advertises itself differently).  Then plan disaster recovery around that.  In this case you may have two VLANs involved.  One for the inside of the web filter and one for the outside.  The inside VLAN is a routed VLAN on your layer 3 switch.  You are routing to your ASAs directly.  To do this you connect the inside of your web filter to the inside VLAN, and the outside interface to a non routeable VLAN on the layer 3 switch.  You will then connect your ASAs’ inside interfaces to that same outside VLAN.  This forces the traffic through the webfilter and is a very common setup for this scenario.  Should the webfilter go down, you change the VLAN on the ASAs to the inside vlan, and you have internet access again.  You have lost the web filter obviously, but hopefully your performance impact isn’t that great until the replacement unit can arrive.


By doing this you can also ensure that the inside vlan is secured in a manner that your company policy is congruent with should a failure occur.

Author: Alex Jerrold, Cisco CCIE Security

Posted at Geeknick


No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Filed under: Network Security

Like this post? Subscribe to my RSS feed and get loads more!