Re: [fw-wiz] Maximum number of subnets on a firewall
From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 02/17/04
- Previous message: Jeremiah Cornelius: "Re: [fw-wiz] Vlan's as effective security measures?"
- In reply to: Paolo Supino: "[fw-wiz] Maximum number of subnets on a firewall"
- Next in thread: Paolo Supino: "RE: [fw-wiz] Maximum number of subnets on a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Paolo Supino <paolo@telmap.com> Date: Tue, 17 Feb 2004 11:10:05 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 12 Feb 2004, Paolo Supino wrote:
> A couple of weeks ago I sent an email about a possible firewall layout for
> 3 companies. After reading the answers and doing some drawings in visio (if
> anyone has has a better tool, please le me know) I setup the firewall in the
> following way
Let me know if this is incorrect
|- Company A
|- Company B
|- Company C
-- Router -- Firewall |- DMZ
|- DMZ A
|- DMZ B
|- DMZ C
|- WiFi
|- Management
Looks like you did pretty well within the constraints you were given. Now
that you've segmented the network into seperate parts you need to worry
about the security policy for each segment and how it relates to each
other segment. For the most part there should not be any relationship,
Company A doesn't talk to Company B, the DMZs don't have any traffic
allowed to any other segment (including outbound) and no segment has
unrestricted traffic to any other segment (this includes inside -> dmz or
inside -> outside ).
Default deny all ruleset, add things in as you come across them.
The management network, depending on how much stuff its connected to,
could be a weak link. If the equipment in the dmzs, and each companies
internal networks is dual-homed to the management subnet, then you've
given up many of the security benefits as malicious traffic won't have to
traverse the firewall to get where it's going. As someone else said, it's
like putting a post up in a field and hoping your attacker runs into it.
This might be good enough for virus or worm traffic, but even some
wet-nosed kid can probably figure out that the machines are dual-homed and
have their way with them.
Anyway, after you've figured this all out, and how you're going to handle
logs from the firewall then you can start worrying about building up IDS
units for these segments so you can monitor the traffic that you are
allowing. 8^) The fun never ends!
- --
Mark Tinberg <MTinberg@securepipe.com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFAMkrvFu7F5OUjbGcRAq5vAKDBp77ue1Q8lKZ3r8RJOLch4gitUQCgrRkA
wQtQfzmULDgKlS4/aZTfIvo=
=y/vZ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jeremiah Cornelius: "Re: [fw-wiz] Vlan's as effective security measures?"
- In reply to: Paolo Supino: "[fw-wiz] Maximum number of subnets on a firewall"
- Next in thread: Paolo Supino: "RE: [fw-wiz] Maximum number of subnets on a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
