I am redesigning my backup strategy by implementing network segmentation. I was planning to use my firewall to route between my VLANs, but then I am limited by the throughput of my firewall. Then, I considered using ACLs on my switches.
My "backbone" network between Veeam and vCenter is running on 10G switches. While my firewall has 10G ports, the throughput is not high.
In terms of security, is it worth running firewall services between VLANs or would ACLs work fine?
-
- Enthusiast
- Posts: 29
- Liked: 1 time
- Joined: Aug 08, 2016 4:13 pm
- Contact:
-
- Veeam Software
- Posts: 2346
- Liked: 555 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Switch ACLs vs Firewall IPS Between VLANs
Hi stryker54141,
Maybe you can elaborate on your concerns about just using ACLs? I understand you're mostly asking just in terms of general security practices so not sure there's anything Veeam specific to focus on here, but if you haven't seen it already, I would give a read to our Best Practices Guide on Security:
https://bp.veeam.com/security/Design-an ... mentation/
There is a lot of theory and design planning in this guide and may help with your decision, or at least help formulate additional questions that maybe can highlight your concerns a bit more clearly. But from a Veeam perspective as long as our traffic can flow, it's not as relevant for Veeam operations directly. But maybe other forum users have some well-evidenced positions they want to share, so I'll leave you with just that statement and the Best Practices guide to start.
Maybe you can elaborate on your concerns about just using ACLs? I understand you're mostly asking just in terms of general security practices so not sure there's anything Veeam specific to focus on here, but if you haven't seen it already, I would give a read to our Best Practices Guide on Security:
https://bp.veeam.com/security/Design-an ... mentation/
There is a lot of theory and design planning in this guide and may help with your decision, or at least help formulate additional questions that maybe can highlight your concerns a bit more clearly. But from a Veeam perspective as long as our traffic can flow, it's not as relevant for Veeam operations directly. But maybe other forum users have some well-evidenced positions they want to share, so I'll leave you with just that statement and the Best Practices guide to start.
David Domask | Product Management: Principal Analyst
-
- Enthusiast
- Posts: 29
- Liked: 1 time
- Joined: Aug 08, 2016 4:13 pm
- Contact:
Re: Switch ACLs vs Firewall IPS Between VLANs
Thanks for replying. I've read through the Best Practices Guide and have been mulling things over.
My understanding (and please correct me if I'm wrong) is that the idea with segmentation is to reduce the attack surface of various network components. So in your opinion (all you Veeam Admins out there), is there a need for IPS, DPI, or other firewall services between the VLANs to protect the Veeam server, repos, etc.? Or will ACLs suffice?
Over the years, I've heard different schools of thought on this when it comes to any network segmentation, and I was just wondering what other Veeam admins were doing, especially since throughput is essential to larger backups, and for the most part, you'll get higher throughput on switches vs. firewalls.
My understanding (and please correct me if I'm wrong) is that the idea with segmentation is to reduce the attack surface of various network components. So in your opinion (all you Veeam Admins out there), is there a need for IPS, DPI, or other firewall services between the VLANs to protect the Veeam server, repos, etc.? Or will ACLs suffice?
Over the years, I've heard different schools of thought on this when it comes to any network segmentation, and I was just wondering what other Veeam admins were doing, especially since throughput is essential to larger backups, and for the most part, you'll get higher throughput on switches vs. firewalls.
-
- Enthusiast
- Posts: 29
- Liked: 1 time
- Joined: Aug 08, 2016 4:13 pm
- Contact:
Re: Switch ACLs vs Firewall IPS Between VLANs
I just found a post by @Andreas Neufert where he states the following, so assuming he still feels the same way, I'll proceed with switch ACLs.
If you want to have a firewall between VMware + Proxy and first Veeam Repository I would look for a switch based routing and define on the access port level rules like PACLs or VACLs. It depends a bit on what your Switch vendor can do for you there. I know this is not a full package inspection security, but again you do not want to have those in between VMware, Proxy and Repository as it causes a lot of headaches when operating this at high throughput and scale.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 55 guests