RE: [fw-wiz] separating the servers on a switch

From: Ian Webb (webbi@sapc.edu)
Date: 09/14/02


From: "Ian Webb" <webbi@sapc.edu>
To: <firewall-wizards@honor.icsalabs.com>
Date: Sat Sep 14 13:57:01 2002

You could also use a firewall that lets you set policies between VLANs
on the same interface. I know Netscreens can do that, not sure about
other firewalls.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of m p
Sent: Thursday, September 12, 2002 2:43 PM
To: Shimon Silberschlag
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] separating the servers on a switch

[ Sorry, i hit send too fast. I'm resending it full :)]

 --- Shimon Silberschlag <shimons@bll.co.il> schrieb: > The servers need
to
talk with the uplink (internet) servers, the
> downlink (backend) servers. This is trivially done with the firewalls.
> What we want to do is control which servers on the segment talk among
> themselves.
>
> Shimon Silberschlag

The only way to solve the problem I can think of is to install more
firewalls /
paketfilters and give each server a seperate interface on that firewall.
It
would look like this ( in good old ASCII art):

            Internet
                |
                |
    screening router / Firewall (already in place)
                |
                |
Public DMZ Firewall - Server 1
                | | |__ Server 2
                | |____ Server 3
                |
                |
    screening router / Firewall (already in place)
                |
                |
Private DMZ Firewall - Server 1
                  | |__ Server 2
                  |____ Server 3
             

VLANs are not secure. You may circumvent them. Even if you define VLANs
- how
do you control the traffic in them?

The smoothest way to do that is from my point of view to install *BSD
(or if
you are more familiar the word with L.... ;), put them into bridging
mode and
install a kind of paket filter (perhaps with a self-train phase) upon
them. Put
a managment link with an IP into them. Voila.
Your mileage may vary.

The plus is that you don't have to go into subnetting your IP range into
smaller pieces, put load down from the main firewalls, if you don't
change the
TTL or other headers there is virtually no way to detect them.
The downside is that you add a layer of comlexity and single point of
failure.

Just my 2 cent.

Marc

> ----- Original Message -----
> From: "m p" <sumirati@yahoo.de>
> To: "Shimon Silberschlag" <shimons@bll.co.il>
> Sent: Thursday, September 12, 2002 15:56
> Subject: Re: [fw-wiz] separating the servers on a switch
>
>
> > Hi Shimon,
> >
> > please decompress your question && resend it.
> >
> > thanks
> >
> > marc
> >
> > ps: look for the comment.
> >
> > --- Shimon Silberschlag <shimons@bll.co.il> schrieb: > Lets say we
> have an
> > internet segment, protected by firewalls at both
> > > ends. On that segment are various servers.
> > > The servers need to talk to other servers outside the segment;
> uplink
> > > its the internet, downlink the backend servers.
> > > Some of the servers need to be able to talk among them.
> >
> > ^-- from here on it is not clear which servers are which servers are
> on which
> > link they are.
> >
> > > We want to control which server can talk to which other server (in
> the
> > > segment), utilizing one of the firewalls (lets say the uplink
> one).
> > > Can the group suggest ways to accomplish that? We thought about
> using
> > > L2 switches with "private VLAN", L3 switches with ACL, but
> constantly
> > > come across problems doing the routing properly.
> > >

__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Slow user logon on Terminal server after migration to Windows 2003
    ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
    (microsoft.public.windows.server.active_directory)
  • Re: medical records, web server, & stateful firewall vs packet filter
    ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
    (comp.dcom.sys.cisco)
  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
    (freebsd-questions)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • Re[3]: What can make DNS lookups slow? [semi-solved]
    ... My problem was that DNS lookups from and through my debian firewall ... My ISP's DNS servers are handing back replies from ... the machines inside the firewall, then I'd love to hear of it. ... # means that it queries the dmz server for everything ...
    (Debian-User)