Placement of Firewall - Need Advice on other issues!

Placement of Firewall - Need Advice on other issues!

Post by Michel Marc » Tue, 13 Jun 2000 04:00:00



Hi.

Only my advice :

On Mon, 12 Jun 2000 04:16:43 GMT, "James Jones"


>Group,

>I have a linux server(MULTISERV I call it) running DNS, APACHE WEB, SEND
>MAIL, DHCP, FTP, AND TELNET.  This linux box has a static public IP address
>for obvious reasons.  I have 4 more to use and 10 people who will be using
>the web internally.

>I need to have a service that will allow IP Masquerading.  This is to take
>care of the 10 people who need to surf the web.  Should I use IPFWADM to do
>this?
yep.

>I also need to have Packet Filtering on the network because MULTISERV uses a
>static public address and I want restrict what can go in and out if the
>server which leads me to believe want a firewall.

>I understand that IPFWADM can do both packet filter and MASQ?  Please
>correct me if I am wrong.
You're right.

>I have a few options, please advise me on which option is the best to use.

>Option 1.  Install IPFWADM (or any other Linux Firewall recommended) on the
>MULTISERV Linux Server.  Setup both packet filtering and MASQ.   Install a
>second NIC in server.  DSL would plug into one NIC and the Intranet would
>plug into the other NIC.  Both NICs of course will have different IP
>addresses.
nope (see below)

>Option 2.  Buy a hardware based firewall preferably under $500 (please
>advise good solutions).  Plug the DSL into one firewall port and the
>Intranet in the other firewall port.  Just use the IPFWADM to perform MASQ
>on the MULTISERV.

yes but too expensive...

            -----------------     -------------    
Internet<-->|external router|<--->| MULTISERV |<-|
            -----------------     -------------  |
                          ------------------     |
             Your Lan <-->| IPFWADM & Masq |<----|
                          ------------------

Teh external router is more a DSL/Ethernet interface.

This way you have a DMZ in which you can place your servers and/or
proxies (you call it MULTISERV). If it gets compromised, your LAN
statys safe. With Ipfwadm masquerade, you allow/deny users to go
surfing on Internet. You allow *only* services usable by the insiders.

Read the firewall book of Chapman & Zwicky (O'reilly I think).
Good luck.

- Show quoted text -

Quote:

>Preferably(financially) I would like to use option 1 IF it provides good
>enough security.
>Please advise on another other options that I might have that I am missing.

>Are there issues that I need to take into consideration regarding the
>current services running on MULTISERV when implementing a firewall?

>Thank you for your help!

>Jim Jones

--------------------------------
Michel Marcon
Sysadmin UNIX & Windows NT (I try)

 
 
 

Placement of Firewall - Need Advice on other issues!

Post by James Jone » Wed, 14 Jun 2000 04:00:00


Michael,

Thank you for your reply!  Just a little clarification need!

In your option:

Quote:>             -----------------     -------------
> Internet<-->|external router|<--->| MULTISERV |<-|
>             -----------------     -------------  |
>                           ------------------     |
>              Your Lan <-->| IPFWADM & Masq |<----|
>                           ------------------

I have my internet cloud. Then onto my DSL router.  My DSL router plugs into
NIC#1(running real IP address) in Multiserv.  NIC #2(running fake IP
address) in multiserv connects to the HUB on my LAN.  Then on my LAN I have
another unit running FloppyFW or something.  The 10 workstations would be
configured to proxy the FloppyFW machine and the FloppyFW machine will
forward all valid requests to the NIC #2 for processing?  Is this correct.
If not could you take just a little more time to explain it.

If the above is correct if the Multiserv is compromised couldn't the hacker
just get to my 10 workstations and skip the FloppyFW machine all together?
Please forgive me if I am wrong I am new to this.

Thanks for taking the time, I was afraid that this was such a simple
question that people in the newsgroup would just skip over it an never
answer.

Thank you!

Jim Jones


> Hi.

> Only my advice :

> On Mon, 12 Jun 2000 04:16:43 GMT, "James Jones"

> >Group,

> >I have a linux server(MULTISERV I call it) running DNS, APACHE WEB, SEND
> >MAIL, DHCP, FTP, AND TELNET.  This linux box has a static public IP
address
> >for obvious reasons.  I have 4 more to use and 10 people who will be
using
> >the web internally.

> >I need to have a service that will allow IP Masquerading.  This is to
take
> >care of the 10 people who need to surf the web.  Should I use IPFWADM to
do
> >this?
> yep.

> >I also need to have Packet Filtering on the network because MULTISERV
uses a
> >static public address and I want restrict what can go in and out if the
> >server which leads me to believe want a firewall.

> >I understand that IPFWADM can do both packet filter and MASQ?  Please
> >correct me if I am wrong.
> You're right.

> >I have a few options, please advise me on which option is the best to
use.

> >Option 1.  Install IPFWADM (or any other Linux Firewall recommended) on
the
> >MULTISERV Linux Server.  Setup both packet filtering and MASQ.   Install
a
> >second NIC in server.  DSL would plug into one NIC and the Intranet would
> >plug into the other NIC.  Both NICs of course will have different IP
> >addresses.
> nope (see below)

> >Option 2.  Buy a hardware based firewall preferably under $500 (please
> >advise good solutions).  Plug the DSL into one firewall port and the
> >Intranet in the other firewall port.  Just use the IPFWADM to perform
MASQ
> >on the MULTISERV.
> yes but too expensive...

>             -----------------     -------------
> Internet<-->|external router|<--->| MULTISERV |<-|
>             -----------------     -------------  |
>                           ------------------     |
>              Your Lan <-->| IPFWADM & Masq |<----|
>                           ------------------

> Teh external router is more a DSL/Ethernet interface.

> This way you have a DMZ in which you can place your servers and/or
> proxies (you call it MULTISERV). If it gets compromised, your LAN
> statys safe. With Ipfwadm masquerade, you allow/deny users to go
> surfing on Internet. You allow *only* services usable by the insiders.

> Read the firewall book of Chapman & Zwicky (O'reilly I think).
> Good luck.

> >Preferably(financially) I would like to use option 1 IF it provides good
> >enough security.
> >Please advise on another other options that I might have that I am
missing.

> >Are there issues that I need to take into consideration regarding the
> >current services running on MULTISERV when implementing a firewall?

> >Thank you for your help!

> >Jim Jones

> --------------------------------
> Michel Marcon
> Sysadmin UNIX & Windows NT (I try)



 
 
 

1. Need some firewall placement advice. Netopia Mandrake 8.0

Hey, I need some advice.

I would like to setup a linux box as a firewall.  I just need to know
where I should place it.

Here is how the current scenario looks like.  
(PLEASE NOTE: All ip number and address are made up)

Ok, I have a full class C of addresses, which is 100.100.100.x.
I have a Netopia router which does packet filtering and NAT.   This
router talks to our ISP router.  The WAN IP address for our router is
20.20.20.20.  The local adress of the router is 192.168.1.1, this is
the neoptia.

the internal network looks like this:  

192.168.1.x are routers
192.168.2.x are servers
192.168.3.x are workstations
192.168.4.x are printers.

Some of the servers are web servers which talk to the outside via NAT
on the Netopia and the packet filtering which is done on the netopia.

Now I am trying to figure out the best place to put the linux box.  
Should I place the linux box at the internet connection, which will
filter and then have it pass it on to the netopia for NAT.   I would
like to use the packet filtering on netopia as an extra layer of
protection.   but should this be behind the firewall or should the
netopia just be use as a straight router to push stuff to the
firewall.  My problem with this is how will nat be handled then?

Please help.

thanks.


2. Application Installation

3. I know nothing of firewalls and internet security, advice needed...

4. Troubles with Internet Connection Kit -- Bonus Pack -- Warp

5. Need small office hardware firewall advice.

6. New GUS - really cool?

7. Need advice re (low end) firewall

8. Montage FR1 Film Recorder repair

9. Firewall Newbie needs advice

10. New cable modem user needs advice on firewall software

11. Advice Needed - Which firewall should I get

12. Advice need for Firewall Solution

13. Need advice choosing a firewall