Re: Linux Firewall ???

From: Eirik Seim (eirik@mi.uib.no)
Date: 04/09/02 

From: eirik@mi.uib.no (Eirik Seim)
Date: 9 Apr 2002 12:57:16 GMT

On Tue, 09 Apr 2002 14:08:24 +0200, Joe Bloggs wrote:
>
> Eirik Seim wrote:
>
> > This is absolutely true, but I like to have the "inside" and "outside" of
> > the firewall on two different cables. You are thinking of having more than
> > one IP on the network interface card, right? Or didnt I get your point?
> >
> > And by the way, the most recent firewalls I configured was on a 100Mbit switch,
> > with a gigabit uplink to the Internet :)
> >
> > > Or... You could even have it as a layer two bridge filter!
> >
> > Sure, but still, I like to have separate cabling for the two network segments,
> > and I would not recommend a single homed firewall solution here, or to a
> > customer. But as you say, it will _work_.
> >
> > Anyone running a setup like this in a production environment? Comments,
> > experiences, etc?
>
> We had an internet facing single homed box with - yes - two seperate subnets running
> into the same lan. Worked just fine but this was eventually changed to the classic
> dual style..

Any particular reason for changing this, if it worked ok?

> Come to think of it we also ran filtering bridges separately...
>
> Gigabit to the internet! Nice.. would love to get kazaa on that... but only 100mb to
> the wall? Load balancing maybe? What system were they running and howdit cope?

It's the completely "open" network of the math department at university of
bergen, norway. We have a gigabit backbone, but most network servers and
clients are only 100Mbit. I have no idea what hardware/software to use if
I was to filter the 60-80 GB of daily traffic on the backbone, but I would
probably not try a personal firewall for Windows :)

I know there is at least one cisco 12000 series in the backbone, but I'm not
certain where the filtering, if any, is performed.

The computers I configured packet filtering on were running linux and
iptables, handling load just fine. Never did any fine tuning and extensive
testing, but there was no noticeable performance difference after applying
some 10-20 rules.

- Eirik 

-- 
New and exciting signature!

Relevant Pages

  • Re: Best practices: Two nics but have harware firewall
    ... I am not aware of any application layer filtering in WatchGuard products. ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You ... the firewalls at the Asset Network ... The ISA Server 2004 firewall is the ideal firewall for the Asset Network ...
    (microsoft.public.windows.server.sbs)
  • Re: Port 443 Outbound
    ... If you've done what you should with your network then malware has gotten behind your network because *it* has admin access, and it is trivial for malware to *use* that admin access to reconfigure a firewall, whether that is software or hardware. ... Agreed - I would much rather nothing got on the network in the first place and have Trend and auditing set up but surely a device that could monitor 443 outbound would only act as an extra layer of defence? ... No no...an edge device is used for inbound blocking and filtering, but is not an effective security boundary for malware already in your network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Updates now max out IEs agent string length, causing problems
    ... causing some kind of issue in your network. ... I am using Active Directory, Filtering, Firewall, ...
    (microsoft.public.windowsupdate)
  • [fw-wiz] State of security technology for the enterprise
    ... enterprise network. ... Content filtering on the firewall ... VMWARE/Hypervisor sensors to protect my virtual infrastructure ...
    (Firewall-Wizards)
  • Re: Linksys router as Firewall
    ... >>the external network. ... None of the Linksys line provide filtering of the INBOUND connections ... The Linksys does not isolate internal from external, ... > Virus scanning and spam filtering is not a function of a firewall. ...
    (comp.security.firewalls)