[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Firewall design for evaluation

Hello all,
I'm in charge of reworking my company's firewall
structure. We went through a few designs, I think
everyone is happy with this one. Figured I'd post it
here and see if anyone can find any hotspots.

To keep it basic....
Traffic enters through a Cisco 26xx router, running
lightwieght packet filtering. It connects directly to
a dualhomed Netfilter gateway firewall. That connects
to a Cisco 35xx switch. This is the DMZ.

All machines in the DMZ will be dual homed, with
point-to-point networks (252 subnets) connecting them
to the gateway and choke firewalls. The idea of the
252 thing is to: Make it hard to fake an address on a
DMZ machine, make it hard to mess with other machines
in the DMZ

Back to it, each DMZ machine will connect to the 35xx
switch on one interface. 
We will have three Netfilter choke firewalls, each
will have several interfaces. Each DMZ machine
connects to a choke through a direct point-to-point
connection. There will also be three crossover cables
in the DMZ, one to each choke. This is for the rare
non-proxyable protocol, logging, etc. The choke
firewalls then connect to the local LAN through fiber

things you might be thinking-
-why so many chokes? 
some of our most heavily used servers will be in the
DMZ. Minimizing single point of failures 
-why fiber? 
load balancing and minimizing single points of
failures. some servers will be connecting to the
chokes with fiber. Also the DMZ machines need to be
backed up by a server in the LAN and fiber is needed
for this. also see above. 
-why so many interfaces/networks/etc? 
trying to minimize the power of an owned machine in
the dmz. Originally each DMZ box had two interfaces on
point to point networks to the choke and gateway, but
this got too expensive. 
-that's stupid. why don't you have standalone
firewalls on each dmz machine? 
a few of the dmz machines will be Linux based, but
most are Microsoft machines. Despite being
hard/expensive to firewall, they are not my
responsibility (almost a hands-off affair)
-you dummy, your one point of failure is the gateway! 
there will be a hardware duplicate of the gateway
machine on standby. I know, that with some clever
scripting, there is a way to make it failover
automatically. But this is currently beyond me. We
also have a spare router.

Well there it is, hope i didn't forget anything.
Thanks for any feedback!

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

Reply to: