r/sysadmin • u/drc997 • 7d ago

Internal firewall Question

Hi, we have a simple setup hosted in a data center. Firewall, switch, virtual machines. The VM's are mostly web servers and database servers. We are looking to separate the two into a production network and data network and firewall the two apart. I know I can do this with VLAN's and use the main firewall to control access to the data network but it feels like if the edge firewall has access to the data network it defeats the purpose of having them on a separate network. Are there any recommendations for a software firewall I can create as a VM that are free or cheap that are not the standard pfsense and such? The main firewalls are watchguards and I know I can get a watchguard VM but the cost seems high for what it is going to do? What is typically used in the enterprise as a simple internal firewall?

0 Upvotes

50% Upvoted

View all comments

u/YSFKJDGS 7d ago

The edge firewall being able to handle both networks does NOT defeat the purpose as long you have half a brain to keep it properly secured. It is entirely fine to use the same box.

-1

u/drc997 7d ago

I'm sure most of the companies that were breached in the last decade had half a brain and thought they were properly secured also. While entirely possible, routing access to sensitive data using the edge firewall doesn't seem like a smart option. Sorry, sticking to my guns here and going to find a better way.

2

u/mkosmo Permanently Banned 7d ago

It's still standard practice in even the most highly regulated and secure environments. Anything that requires additional isolation is effectively required to be airgapped, which doesn't do you much good for what you described.

If you want to layer more, HIPS (or host-based firewall) is an option. Since they're VMs, you can also leverage your hypervisor's security group features.

-1

u/[deleted] 7d ago edited 6d ago

[deleted]

1

u/mkosmo Permanently Banned 7d ago

Now you're confusing two issues. The firewall segmentation has nothing to do with ALGs. They don't replace each other, but add additional capabilities to one another.

And with more modern security tooling, the idea of centralized ALGs is quickly going the way of the dodo except in legacy deployments where the modern tooling isn't compatible with the equipment or workflows.