Secure East-West Traffic with the VM-Series Firewall
The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network. This scenario is relevant to you if you have two NetScaler VPX instances, where one instance authenticates users and terminates SSL connections and then load balances requests to the DMZ servers and the other VPX instance load balances connections to the corporate servers that host the application and database servers on your network.
The communication between the servers in the DMZ and the servers in the corporate datacenter is processed by both instances of the NetScaler VPX. For content that resides in the corporate datacenter, a new request in handed off to the other instance of the NetScaler VPX which forwards the request to the appropriate server.
When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows:
- All incoming requests are authenticated and the SSL connection is terminated on the first instance of the NetScaler VPX. For content that resides in the DMZ, the NetScaler VPX initiates a new connection to the server to fetch the requested content. Note that the north-south traffic destined to the corporate datacenter or to the servers in the DMZ are handled by the edge firewall and not by the VM-Series firewall.For example, when a user (source IP 18.104.22.168) requests content from a server on the DMZ, the destination IP is 22.214.171.124 (VIP of the NetScaler VPX). The NetScaler VPX then replaces the destination IP address, based on the protocol to the internal server IP address, say 192.168.10.10. The return traffic from the server is sent back to the NetScaler VPX at 126.96.36.199 and sent to the user with IP address 188.8.131.52.
- All requests between the DMZ servers and the Corporate datacenter are processed by the VM-Series firewall. For content that resides in the corporate datacenter, the request is transparently processed (if deployed using L2 or virtual wire interfaces) or routed (using Layer3 interfaces) by the VM-Series firewall. It is then handed off to the second instance of the NetScaler VPX. This instance of the NetScaler VPX load balances the request across the servers in the corporate datacenter and services the request. The return traffic uses the same path as the incoming request.For example, when a server on the DMZ (say 192.168.10.10) needs content from a server in the corporate datacenter (say 172.16.10.20), the destination IP address is 184.108.40.206 (the VIP on the second NetScaler). The request is sent to the VM-Series firewall at 192.168.10.2, where the firewall performs a policy lookup and routes the request to 220.127.116.11. The second NetScaler VPX replaces the destination IP address, based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 18.104.22.168 is then sent to the NetScaler VPX at 22.214.171.124, and the source IP address for the request is set as 126.96.36.199 and is routed to the VM-Series firewall at 188.8.131.52. On the VM-Series firewall, a policy lookup is again performed and the traffic is routed to the server in the DMZ (192.168.10.10).
In order to filter and report on user activity on your network, because all requests are initiated from the NetScaler VPX, you must enable HTTP Header insertion or the TCP Option for IP Insertion on the first instance of the NetScaler VPX.
- If you plan to deploy the VM-Series firewall using virtual wire or L2 interfaces, make sure to enable L2 Mode on each data interface on the SDX server.
- Re-cable the interfaces assigned to the NetScaler VPX.Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
- Create security policy to allow application traffic between the DMZ and the corporate data center.Zone: DMZ to CorporateNote that the implicit deny rule will deny all inter-zone traffic except what is explicitly allowed by security policy.
- ClickAddin thesection.PoliciesSecurity
- Give the rule a descriptive name in theGeneraltab.
- In theSourcetab, set theSource Zoneto DMZ andSource Addressto 192.168.10.0/24.
- In theDestinationtab, set theDestination Zoneto Corporate and theDestination Addressto 184.108.40.206/24
- In theApplicationtab, select the applications that you want to allow. For example, Oracle.
- Set theServicetoapplication-default
- In theActionstab, set theAction Settingto Allow.
- Leave all the other options at the default values.
- ClickCommitto save your changes.For securing north-south traffic, see Secure North-South Traffic with the VM-Series Firewall.For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
Recommended For You
Recommended videos not found.