Re: Firewall Design
From: Keith W. McCammon (km@km.com)Date: 01/31/02
- Next message: Lefti: "3COM OfficeConnect DMZ Firmware 5.16"
- Previous message: larstr@no-spam.colargol.tihlde.org: "Re: Secure e-mail"
- In reply to: Andy: "Firewall Design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Keith W. McCammon" <km@km.com> Date: Thu, 31 Jan 2002 13:38:30 -0500
> OK, I am in the process of starting a new business and am looking for
> the most cost effective way to protect my internal network / etc from
> the web. I am going to have a T-1 connection to the net. I am
> experienced with FreeBSD and Linux and was thinking of using these as
> low cost firewalls. Here is my thought, and I guess I am looking for
> approval on the design.
I would recommend any of the BSD's. For firewall services, I've had
terrific success with OpenBSD, but you should favor that which you know best
and feel comfortable securing and configuring.
> Internet -- Routers -- Etherswitch (off the switch I have my web
> server and firewall)-- LAN
>
> The etherswitch from the router will have the Firewall and my Web
> Servers. The firewall (FreeBSD or Linux) will have 2 NIC cards in it.
> One of the NIC cards will be connected to the same switch the router
> is on, and the second is connected to another switch on the LAN. The
> Firewall will run NAT behind it.
The one flaw with this design is the lack of protection for systems in the
DMZ. An improvement on this plan would be to use a third interface on the
firewall, so that the logical flow of traffic looks like this:
Internet -> Router -> FW -> DMZ -> FW-> LAN
Your DMZ systems should be publicly accessible, but by no means sacrificial
lambs. This design will allow you to use private addressing and packet
filtering in front of your DMZ systems, as well as your internal network.
It will also greatly reduce the total exposure of your total network to the
internet. For an added layer of security, apply packets filters on your
router as well.
It would also be highly advisable to get a second switch, or use VLAN's if
the existing switch supports this feature. The key to securing networks of
this nature is segmentation and comprehensive traffic inspection and
control.
> I am also planning on doing DNS services and Mail services. Where
> should these be placed and does that design work for the sake of
> security?
Both of these services should be placed in the DMZ as well.
Cheers,
-- Keith W. McCammon
- Next message: Lefti: "3COM OfficeConnect DMZ Firmware 5.16"
- Previous message: larstr@no-spam.colargol.tihlde.org: "Re: Secure e-mail"
- In reply to: Andy: "Firewall Design"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
