[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall design for evaluation

On Fri, Jan 31, 2003 at 08:25:15AM -0800, Marcus wrote:
> All machines in the DMZ will be dual homed, with
> point-to-point networks (252 subnets) connecting them
> to the gateway and choke firewalls. The idea of the
> 252 thing is to: Make it hard to fake an address on a
> DMZ machine, make it hard to mess with other machines
> in the DMZ

Well, first of all, you need to habe 2 Switches, one for the Internet side,
one for the more secure side. You can run both switches in secure mode,
which will alow the hosts only to send packets to the Firewalls, but not to
each other.

Now you can eighter filter by Mac to be a bit more safe about spoofing, or
use VLANs instead of Secure mode, with the firewalls attached to the trunk
ports. I would not do the .252 subnet stuff, since it is a big waste of time
and does absolutely add no protection over VLAN or secure mode.

> backed up by a server in the LAN and fiber is needed
> for this. also see above. 

So you want to have your LAN connect to the DMZ? This is ugly. You do not
need Fibre for it, and you forget to mention how you are going to protect
LAN from DMZ?

> Originally each DMZ box had two interfaces on
> point to point networks to the choke and gateway, but
> this got too expensive. 

You can simulate this with VLAN or Secure mode. VLAN is a bit better for the
Firewall, cause th Firewall can detect which port on the switch is used to
send traffic, secure mode is a bit more classic and therefore more simple,
less error prone.

  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: