When it comes to security, VLAN ACL's, firewall DMZ policy and the like I am a Newb. So any help will be appreciated.
We are trying to architect our network to place all of our web accessible servers in a DMZ. We have Watchguard Firewall and Dell Layer 3 Switch. All of our Web Servers are virtual and hosted on a Hyper-V cluster.
We have set up two new VLAN's on the Layer 3 switch called DMZ (VLAN 210) and CMZ (VLAN 211) each with their own subnet in the 172.20.X.X range. Our Web Servers each have two network interfaces, one for each of the new VLAN's. We are trying to block all access to our LAN with ACL rules on the Layer 3 Switch, and only allow access to the Firewall which is in it's own VLAN 200. On the firewall, we have set up the VLAN subnets. On VLAN 210, we only want to be able to access the internet for Windows Updates since our Web Servers will not be joined to the domain. On VLAn 211, we want to allow access to the needed internal servers, through the firewall.
When we do not have any ACL rules in place for 210 and 211, we are able to ping all internal servers, and get the internet on the WebServers. When we apply an ACL which blocks all internal subnets, but allows all other subnets, nothing seems to work correctly. We have tried to do some "route adds" on the WebServers to get them to point to the correct internal servers, but again, with the ACL in place, nothing seems to work.
My two starting questions are: Does what we are trying to do seem like a good way to go with the hardware we have? And do we need to do some routing on the Layer 3 Switch to get this to work? So far I haven't done any and not sure how.
Thank you!!
Best Answer
The Watchguard is a firewall, it sounds unreasonable to try to use the switch as a firewall.
I'd plan to get rid of the server interfaces to the LAN, give them only one interface into the DMZ. Route all traffic through the Watchguard, which should have interfaces in both VLAN 210 and VLAN 211. Get rid of VLAN 200 entirely, get rid of any routing on the switch, use the Watchguard as the default gateway, get rid of most ACLs on the switch (possibly keeping any that restrict switch management access).
Then use Watchguard policies to manage what traffic can get from where to where, e.g. policies to allow the DMZ access to DNS servers, HTTP and HTTPS for Windows Update - preferably via proxy policies, and allow management connections (e.g. RDP) from the LAN to the Webservers.