r/sysadmin u/drc997 4d ago

Internal firewall Question

Hi, we have a simple setup hosted in a data center. Firewall, switch, virtual machines. The VM's are mostly web servers and database servers. We are looking to separate the two into a production network and data network and firewall the two apart. I know I can do this with VLAN's and use the main firewall to control access to the data network but it feels like if the edge firewall has access to the data network it defeats the purpose of having them on a separate network. Are there any recommendations for a software firewall I can create as a VM that are free or cheap that are not the standard pfsense and such? The main firewalls are watchguards and I know I can get a watchguard VM but the cost seems high for what it is going to do? What is typically used in the enterprise as a simple internal firewall?

0 Upvotes

40% Upvoted

View all comments

6

u/superrob1500 Jr. Sysadmin 4d ago

Some device on the network is gonna have to access to both networks for routing purposes, I don't see where the virtualized firewalls help with anything. Even if the idea is sound, I think you're at a classic triangle/pick 2 problem here, if I'm understanding you correctly:

  • You want a virtualized Firewall.

  • You want it to be enterprise grade.

  • You want it to not be expensive or free.

It cannot be all 3.

1

u/drc997 4d ago

Your understanding is close. I realize some device is going to have access to both for routing purposes I just don't think it should be the same one that's connected to the public internet. As for the triangle, it can't be applied to every situation. a large portion of the world is run on enterprise grade, free, virtualized software.

3

u/superrob1500 Jr. Sysadmin 4d ago

I realize some device is going to have access to both for routing purposes I just don't think it should be the same one that's connected to the public internet.

Well friend I have to say that if you don't trust your edge firewall to stop outside intrusions I think you have other problems that adding layers of obfuscation and management complications won't necessarily fix.

As for the triangle, it can't be applied to every situation. a large portion of the world is run on enterprise grade, free, virtualized software.

I don't think that was implied, it does definitely apply here though.