RE: Best IP configuration for OpenBSD firewall/router

• Previous message: MatthewB_at_CallMeIT.com: "RE: Change computer names for security."
• Maybe in reply to: Damon McMahon: "Best IP configuration for OpenBSD firewall/router"
• Next in thread: Arturo \: "RE: Best IP configuration for OpenBSD firewall/router"
• Reply: Arturo \: "RE: Best IP configuration for OpenBSD firewall/router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Mon, 18 Aug 2003 14:23:37 -0400

I don't see any particular advantage to doing it the way you describe.
In fact I see it as being a bit more troublesome because of the
extra routing you'll have to do.

Granted it would make it slightly more difficult for someone to gain
access to your LAN, but I don't see this as enough of a benefit
considering what little you'll gain.

Jason

-----Original Message-----
From: Damon McMahon [mailto:inst_karma@hotmail.com]
Sent: Saturday, August 16, 2003 11:51 PM
To: security-basics@securityfocus.com
Subject: Best IP configuration for OpenBSD firewall/router

Greetings,

I'm in the process of configuring an old Pentium 75 MHz box to act as
an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24
subnet (I have some *BSD experience with MacOS X).

Presently a Windows 2000 Professional box is doing the job (using the
inbuilt Internet Connection Sharing service) but for some time I
haven't been convinced of the security of this configuration, and the
recently announced Windows RPC flaw has spurred me into action! OK,
that's enough background, my question is:

Is there any advantage of putting the firewall/gateway host on a
different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a
security perspective?

The easy option seems to put it on the same subnet, say 192.168.0.254
(since 192.168.0.1 is already taken by the existing Windows 2000
gatway); everything communicates with everything in this configuration.

However, part of me thinks it should be intentionally _difficult_ (from
a security perspective) for the firewall/gateway box to communicate
with the rest of the LAN.

Is that misguided?

If this is a good idea (gateway on separate subnet), then how should I
configure the routing tables on the gateway and rest of the LAN so that
everything routes correctly?

Thanks in advance for any assistance.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: MatthewB_at_CallMeIT.com: "RE: Change computer names for security."
• Maybe in reply to: Damon McMahon: "Best IP configuration for OpenBSD firewall/router"
• Next in thread: Arturo \: "RE: Best IP configuration for OpenBSD firewall/router"
• Reply: Arturo \: "RE: Best IP configuration for OpenBSD firewall/router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]