1. Simple single-homed Profense implementation
Figure Simple single-homed Profense implementation
This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single Ethernet interface.
Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.
The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.
2. Firewalled single-homed Profense implementation
Figure Firewall’ed single-homed Profense implementation
This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single Ethernet interface.
A separate network segment (subnet 2) is configured between Profense and the firewall.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.10.
Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.
The web systems’ default gateway is the firewall with IP address 192.168.0.1.
3. Firewalled Profense implementation with a fail-over/backup Profense
Figure Profense implementation with a fail-over/backup Profense
In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.
The two Profense systems share a virtual (VIP) IP address 192.168.1.12.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s VIP address 192.168.1.12.
In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.
The web systems’ default gateway is the firewall with IP address 192.168.0.1.
4. Dual-homed performance optimized Profense implementation
Figure Dual-homed performance optimized Profense implementation
In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 Ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.
A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.9.
Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.
The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.
The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.
No comments:
Post a Comment