Comprehensive data protection for all workloads
Post Reply
stryker54141
Enthusiast
Posts: 35
Liked: 2 times
Joined: Aug 08, 2016 4:13 pm
Contact:

Switch ACLs vs Firewall IPS Between VLANs

Post by stryker54141 »

I am redesigning my backup strategy by implementing network segmentation. I was planning to use my firewall to route between my VLANs, but then I am limited by the throughput of my firewall. Then, I considered using ACLs on my switches.

My "backbone" network between Veeam and vCenter is running on 10G switches. While my firewall has 10G ports, the throughput is not high.

In terms of security, is it worth running firewall services between VLANs or would ACLs work fine?
david.domask
Veeam Software
Posts: 3037
Liked: 702 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: Switch ACLs vs Firewall IPS Between VLANs

Post by david.domask »

Hi stryker54141,

Maybe you can elaborate on your concerns about just using ACLs? I understand you're mostly asking just in terms of general security practices so not sure there's anything Veeam specific to focus on here, but if you haven't seen it already, I would give a read to our Best Practices Guide on Security:

https://bp.veeam.com/security/Design-an ... mentation/

There is a lot of theory and design planning in this guide and may help with your decision, or at least help formulate additional questions that maybe can highlight your concerns a bit more clearly. But from a Veeam perspective as long as our traffic can flow, it's not as relevant for Veeam operations directly. But maybe other forum users have some well-evidenced positions they want to share, so I'll leave you with just that statement and the Best Practices guide to start.
David Domask | Product Management: Principal Analyst
stryker54141
Enthusiast
Posts: 35
Liked: 2 times
Joined: Aug 08, 2016 4:13 pm
Contact:

Re: Switch ACLs vs Firewall IPS Between VLANs

Post by stryker54141 »

Thanks for replying. I've read through the Best Practices Guide and have been mulling things over.

My understanding (and please correct me if I'm wrong) is that the idea with segmentation is to reduce the attack surface of various network components. So in your opinion (all you Veeam Admins out there), is there a need for IPS, DPI, or other firewall services between the VLANs to protect the Veeam server, repos, etc.? Or will ACLs suffice?

Over the years, I've heard different schools of thought on this when it comes to any network segmentation, and I was just wondering what other Veeam admins were doing, especially since throughput is essential to larger backups, and for the most part, you'll get higher throughput on switches vs. firewalls.
stryker54141
Enthusiast
Posts: 35
Liked: 2 times
Joined: Aug 08, 2016 4:13 pm
Contact:

Re: Switch ACLs vs Firewall IPS Between VLANs

Post by stryker54141 »

I just found a post by @Andreas Neufert where he states the following, so assuming he still feels the same way, I'll proceed with switch ACLs.
If you want to have a firewall between VMware + Proxy and first Veeam Repository I would look for a switch based routing and define on the access port level rules like PACLs or VACLs. It depends a bit on what your Switch vendor can do for you there. I know this is not a full package inspection security, but again you do not want to have those in between VMware, Proxy and Repository as it causes a lot of headaches when operating this at high throughput and scale.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 44 guests