Questions about deploying serverfarm FW

yhlee1 — Tue, 11 Aug 2020 09:01:27 GMT

Hello,

Currently, every server is behind trust zone, so I can't control traffic from trust user or server to server by FW.

I have two options

1 attach server farm switch to edge firewall

2 deploy new FW in front of server farm switch

Which is more common way and is there any better reason to chose 2nd option than 1st?

Re: Questions about deploying serverfarm FW

Remo — Tue, 11 Aug 2020 18:16:36 GMT

Hi @yhlee1

Both of these ways are common solutions. In short: Option 2 is more secure but also more expensive while (obviously) option one is the opposite.

This does not mean option 1 is bad, but in case of an attack from external and also in situations where the firewall may be too slow to handle every internal connection everything would be affected from an outage. So with option 2 you mainly distribute the load with reduces some risks about service continuity. Obviously buying a second firewall(cluster) with subscriptions and operating this one is more expensive than having only one firewall(cluster). The configuration itself you can have as secure as with two firewall(clusters). So mainly you have to decide for your company/your situation if the additional costs are worth reducing some risks or if you are ok with the disadvantages as long as you separate clients and servers.

topic Questions about deploying serverfarm FW in General Topics

Questions about deploying serverfarm FW

Re: Questions about deploying serverfarm FW