Best IP configuration for OpenBSD firewall/router

From: Damon McMahon (inst_karma_at_hotmail.com)
Date: 08/17/03

  • Next message: McGill, Lachlan: "Cisco 827 router VPN"
    Date: Sun, 17 Aug 2003 13:20:36 +0930
    To: security-basics@securityfocus.com
    
    

    Greetings,

    I'm in the process of configuring an old Pentium 75 MHz box to act as
    an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
    subnet (I have some *BSD experience with MacOS X).

    Presently a Windows 2000 Professional box is doing the job (using the
    inbuilt Internet Connection Sharing service) but for some time I
    haven't been convinced of the security of this configuration, and the
    recently announced Windows RPC flaw has spurred me into action! OK,
    that's enough background, my question is:

    Is there any advantage of putting the firewall/gateway host on a
    different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
    security perspective?

    The easy option seems to put it on the same subnet, say 192.168.0.254
    (since 192.168.0.1 is already taken by the existing Windows 2000
    gatway); everything communicates with everything in this configuration.

    However, part of me thinks it should be intentionally _difficult_ (from
    a security perspective) for the firewall/gateway box to communicate
    with the rest of the LAN.

    Is that misguided?

    If this is a good idea (gateway on separate subnet), then how should I
    configure the routing tables on the gateway and rest of the LAN so that
    everything routes correctly?

    Thanks in advance for any assistance.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: McGill, Lachlan: "Cisco 827 router VPN"

    Relevant Pages