Re: OT: Advice on network setup
Thanks for your input.
On Fri, Jan 31, 2003 at 01:17:55PM -0400, Douglas Guptill wrote:
> On Fri, Jan 31, 2003 at 10:13:29AM +1100, Lucas Barbuto wrote:
> Point 1.
> > I've been given the task of installing a firewall router in a
> > data-centre that will sit in front of a bunch of co located
> > machines.
> You should be concerned with what the goals are for the firewall.
Point taken. The goals are clearly defined, I probably should have
mentioned them but I'm always afraid that my posts will become too long
and confusing and people won't read them... see I'm doing it again!
Anyway, the goals are:
1) To count traffic for our co located hosts because the ISP isn't
doing it for us. I'm planning to use ipac-ng for this. I already use
it here in the office and it seems to work well. We need this for
billing our clients.
2) To provide a firewall for clients who request it. They don't
neccessarily need to understand what it does as long as we do and we can
say "We can block attacks like Slammer last week by closing off the
MSSQL ports". We can charge money for this service and it's low
maintenance for us.
> Everyone knows what a firewall is, right? :-)
Well no, but everyone's heard of them. The firewall is going to be an
added service for our co location customers. We need the box there
anyway to count traffic, we might as well be making a bit more money out
of it by offering a security service. I'm happy to explain to the
clients what it will and won't do (to the best of my ability, although
as you can tell I'm not an expert) and then they can decide whether or
not it's worth while.
> From what you say, it appears that you may need to refresh your
> knowledge of sub-networking. What you are proposing in the diagram
> (very nicely done, BTW) will not work, In My Humble Opinion.
Why thankyou! Yes, I do need to refresh my memory of sub-networking
(and I forgot to bring my text books into work today).
> What will work? What configuration do I reccommend? That depends
> *very* much on what you want to achieve by installing a firewall.
> In particular, do you want/need to maintain the visibility of
> the co-located hosts with their public IPs?
Yes, definitely. It needs to be transparent. It needs to count traffic
going in and out and I'd like to be able to block ports on a per host
So now that you know, advice please!?! :)