Cisco Blogs

Cisco Blog > Perspectives

DMZ Basics

Lately I made the change from deep technical consultant to a more high-level architect like kind of consultant. I now do my work on the turning point between business and technique. One of my first jobs is to make my customer ready for an audit to use the dutch official authentication method, which is called DigID.

There are several requirements, which have to be fulfilled before the customer can make use of the DigID authentication method. One of these requirements is that all the internet facing systems are placed in a DMZ. I tried to explain the importance of a well functioning DMZ. For us as network specialists this fact is obvious, but a lot of people don’t understand the meaning and working of a DMZ. This blog is about the essentials of which a DMZ has to consist.

First we need to understand what we are trying to achieve with a DMZ
• Separation and identification of network areas
• Separation and isolation of internet facing systems
• Separation of routing and security policies

After understanding the achievements, there is another point of interest. Are you gonna build your DMZ with dedicated switches, firewall’s and ESX hosts (physical) or do u use a separate vlan (virtual). There is no clear answer; fact is that bigger organizations build physical DMZ’s more often than smaller ones. Besides the technical aspect, there is off course a financial aspect. Resulting out of the physical/virtual debate comes the debate whether to use two physical firewalls or one physical firewall with several logical interfaces. Equally to the physical/virtual debate there is not just one answer.

For me personally one physical firewall with several logical interfaces with tight configured ACL’s is as good as two physical firewalls. One could dispute this with the argument that if a hacker gains access to one firewall he gains access to the whole network. Personally I don’t think this isn’t a valid argument, because when two physical firewalls are used they are often from the same vendor and use the same firmware with the same bugs and exploits. So if the hacker’s trick works on one firewall, it will often also work on the second one.

Some images to make the above a little more concrete.

A single firewall DMZ:

DMZ Basics

Read More »

Tags: , , , ,

Collaboration Notes from Cisco Live: Wednesday Wrap-Up

You know it’s a star-studded day when the morning starts with Rebecca Jacoby, the afternoon features Rowan Trollope and Jonathan Rosenberg, and the night ends with Steven Tyler and Joe Perry wearing this year’s freshly minted Cisco Live hat. Yes, Wednesday was a busy day.

If you somehow missed it, the word of the week is exponential. It’s a strong message in every major session I’ve attended — and for good reason. Thinking, development, change — we all know the basics of moving forward, but it’s adding exponential in front that will make the difference in your ability to disrupt yourselves, your markets, and your competitors. The exponential component is really what’s required to advance and succeed in the digital age. It’s simple math, really.

Read on for: Rowan Trollope and Jonathan Rosenberg, Industry Keynote, Intercloud, Innovation Session, Customer Appreciation Event, Customer Connection Program, Keep Up-to-Date Beyond Cisco Live  Read More »

Tags: , , , , ,

Collaboration Notes from Cisco Live: Tuesday Wrap-Up

Today was another busy day in a city by a bay. With the Cisco Live gears fully engaged, there were more sessions, more classes, and more of everything going on. Our product teams did presentations and trainings throughout the day. And the Collaboration booth was hopping, even without the lure of tradeshow-trick-or-treat swag. We had a constant stream of people checking out the latest collaboration goods and digging into details with product managers. I kept expecting a lull in activity. It never happened.

Read on for: Handisco, Peter Diamandis Keynote, Cisco Champions, Today’s Video, Auto-Reply for the Digital Age,  and What’s Up for Wednesday Read More »

Tags: , , , ,

Cisco Live – It’s All About Networking

We are just a few weeks away from what has become my favorite event of the year: Cisco Live. I’ve been attending Cisco Live consistently for the last several years and this year I will be attending as a NetVet for the first time. What has kept me coming back year after year and, this time around, on my own dime and time? Well, there’s the World of Solutions where you can see all the new devices with the latest blinky lights, there are the incredible amount of brain melting tech sessions, the keynote sessions, and of course the much anticipated Customer Appreciation Event (really, it’s all about the hat). At the end of it all though, the reason I keep coming back year after year are the people I meet, both new and known, that are my peers in the industry.

The Year was 2008…

My first Cisco Live was in Orlando, FL in 2008. It was, in a word, overwhelming. So many people, so many sessions, and so much information coming at you. Others have said it’s like drinking from a firehose and I would agree completely. It was both awesome and intimidating (especially being of the introverted type as a lot of us are). Twitter and other social media platforms were in their infancy at the time and other than the CAE, WoS, and meeting with your account team it was hard to connect with people. You know how they say New York City is the place where you can be among millions of people at once but be utterly alone? Yeah, it was kind of like that just on a smaller scale. Read More »

Tags: , , ,

Upcoming Technology Trends at Cisco Live

Cisco Live in San Diego is right around the corner. It’s the place to be to meet with people, learn and to stay current with the technology trends of the industry. What are some of the upcoming technology trends to watch out for at Cisco Live.

Software-Defined WAN (SD-WAN)

There is a lot of buzz about Software Defined Networks (SDN), Software Defined Data Centers (SDDC) and everything you can possibly think of and then adding software defined in front of it. Many of these technologies are not mature yet but SD-WAN is a viable technology as of now.

Cisco is realizing the SD-WAN through its technology called IWAN. IWAN is used when connecting to multiple Service Providers (SPs) and can more effectively work in such a setup than with vanilla routing. IWAN can choose the best exit, based on metrics such as latency, jitter and packet loss, which is not feasible with normal routing. It does this through a technology called Performance Routing (PfR). This technology was very complex in the past but has evolved to a much simpler configuration in its current revision. It can also help organizations save money by running DMVPN over the Internet instead of buying more costly MPLS circuits from the SP. Read More »

Tags: , , , , , , , , ,