Hey folks! I'm diving into network segmentation at my workplace, which is about 90% on-prem. The goal is to move our servers to a dedicated VLAN with proper firewall filtering, but I could use some advice on how to craft a solid architecture. Here's what I'm thinking so far:
- Shift all App and DB servers to a dedicated VLAN
- Set up a DMZ zone on the firewall (not sure if I should use a VLAN or a dedicated physical interface)
- Install a reverse proxy with a Web Application Firewall (WAF) in the DMZ
- Apply app-specific firewall rules between the reverse proxy and the app server, allowing only necessary traffic (like ports 80 and 443) while blocking everything else.
I'm considering using BunkerWeb or SafeLine for the reverse proxy and WAF since it could help with centralizing configuration and certificate management. The intended flow would be:
Internet -> Firewall (Ingress Policy) -> DMZ Reverse Proxy -> Firewall (Filtering Policy) -> Internal Server.
However, I'm unsure about the best approach for the internal routing. I want to avoid configuring certificates on each application server and don't want users connecting directly to them. Is deploying a second reverse proxy for internal traffic a bad idea? I'd love any examples of a properly implemented infrastructure.
Here's some extra info:
- We have around 200 internal users and the same amount externally
- IT team consists of just me and one colleague, so I need an automated setup with minimal overhead
- The backup infrastructure is already on a dedicated VLAN with strict access, so it's not part of my project.
Sorry if my writing is rough; English isn't my first language. Thanks in advance!
5 Answers
I recommend going with split DNS too. We’re successfully using it where I work—it means having a local DNS record instead of relying on public DNS. Definitely configure VLANs for your setup. Your user and server VLANs will need access to the internal DMZ IP of the reverse proxy, which should handle ports 80 and 443. I would suggest at least four VLANs: DMZ, Users, Servers, and Management for things like hypervisor access and switch interfaces.
When using reverse proxies, a solid approach is to modify local DNS so that it points to the reverse proxy for your domains. This way, local clients will see the proxy's IP and connect without needing alternate routes or certificate hassles. Just be cautious of having two different routes to your services to avoid configuration mismatches that could lead to exposing vulnerabilities or blocking necessary access. I personally love using reverse proxies for security; I even have some of my remote servers acting solely as reverse proxies that communicate over a secure VPN to keep things tight on my network.
Totally agree! I find split DNS to be more reliable for these setups; as long as all your user VLANs can access the reverse proxy directly, you're good to go.
Your architecture looks solid! While I can’t comment on specific software choices since I stick to open-source solutions on Linux, versatility in software is a good thing. For the internal routing, keep everything funneled through the same reverse proxy. You should point the FQDNs for your services to the proxy and keep the servers in a secured VLAN. It's best to handle migrations slowly—move one service at a time, debug any issues, and then continue with the next one. It'll keep things organized and manageable!
If you're opting for software like BunkerWeb, I'm all for it! They’re a great open-source option with a solid community backing. Just make sure to consider privacy and security aspects of any software you choose, especially if it has obscure origins. SafeLine claims to be open-source too, but who knows what's really behind the scenes, especially with how data is handled.
Consider placing a WAF in front of your reverse proxy for an extra layer of defense. Physical control is usually best for performance!
Exactly! If you're segmenting, go all in. Devote zones for different types of servers, like having a separate zone for SQL servers. It's a bit of work on the rules, but it makes your network safer.