Re: Firewall Questions

From: Leythos (void@nowhere.com)
Date: 03/22/03 

From: Leythos <void@nowhere.com>
Date: Sat, 22 Mar 2003 14:55:59 GMT

In article <OISea.85523$Kc5.3236475@news2.east.cox.net>,
dpbullington@hotmail.com says...
> Hello and thanks in advance for any info one could offer...
>
> I work for a small comapny. We have a public class C address allocation. We
> will call it a.b.c.d. We have a T1 coming in into a CSU/DSU, then into a
> Cisco Catalyst 1900 Router. Basically from the router, the network is
> distributed with a few switches. Every server (web, mail, etc and client)
> has public IPs. No firewall.
>
> Ok...the rub: we are moving our office to new location and retaining the
> above configuration but we want to integrate a firewall into the mix to
> protect everything from the router to the insde. We had a local company
> sketch their idea of what they saw as a new network plan. They suggested:
>
> T1 Internet ---> CSU/DSU ---> Router ---> Cisco PIX 506E Firewall (2
> port) ---> Internal LAN (including switches and all servers, and clients)
>
> They want this firewall to be in NAT mode where everything in the LAN
> including our web, mail, and client boxes get a private (we will call it
> w.x.y.x) address scheme, then NAT statc map the servers on the PIX with
> public a.b.c.d address to be forwared in to the w.x.y.z private address.

The people telling you to NAT are doing it RIGHT. I have a class C and
several smaller segments at other locations. You should make sure that
your public servers are in the DMZ under one subnet and your NON-Public
machines are in another segment (LAN) with a different subnet.
 
> The concern I have in this is that we do some web hosting and host our own
> mail server. But we want these servies protected. But since we have a class
> C which will wont outgrwon anytime soon, are we wise to do this NAT private
> address scheme on the LAN? I had envisioned that the internal LAN use the
> public IPs and no NAT...and, that the firewall would be a transparent (i.e.
> LAN gateway still is router vs. the PIX).

We host about 40 sites on 3 servers using the NAT method - NAT will not
stop you from doing anything, but it will help to protect your system.

> I would like input on this...
>
> Such as is this PIX/NAT a viable solution?

PIX is a pain in the arse, get a Watchguard Firebox 2500. NAT is
something that every company, well, most, does - you don't need a public
IP address for every machine in your company.

> What do we need to do to use our public IP address on the LAN, withou NAT
> and still have a firewall protecting everything.

YOU DO NOT NEED TO DO THIS - You "WANT" to do this and it's a bad idea.
Take your network and put it behind two firewalled segments: 1 DMZ -
Public accessed servers, 2 LAN - Your company computers not accessed
from the public internet. Assign 192.168.0.X to the DMX and 192.168.1.X
to the LAN (or any other private segments you want to use). In case you
want to allow people to VPN into your network, don't use 192.168.0 or
192.168.1, try something like 192.168.5 and 6 for the DMZ/LAN.

> Is there any transparent firewalls on the market that would just sit inline
> between the router and the LAN?

Almost every firewall on the market allows "Drop-In" mode.

> If the PIX/NAT solution is used, will web/mail/etc still be accessable in a
> dependible fashion?

It will be 100% dependable, small and large companies do this all the
time. It's how the world works - I have an exchange server in my home
and it's sitting on a NAT'ed address - you just apply a SMTP rule,
filter, and forward to the internal (NAT) address. If NAT didn't work,
most of the people on the internet would not be able to get to anything.

One final note: My installing a firewall I bet you see your network
performance increase - since hackers won't be able to see your machines
any longer they will stop trying - so this means that your network will
be free of the constant attempts, and that means your network
performance will increase on the inside :) 

-- 
--
Leythos999@columbus.rr.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... For years I have heard people claim that NAT could be circumvented ... > packet is routed. ... but the only outside network I have access to right now ... > Firewall is a term, most people use other than it was intended. ...
    (comp.security.firewalls)
  • Re: How to get my Dads Win2k system to access internet through my FreeBSD 6.2 system
    ... Windows 2000 machine with a network card but does not have a connection ... establish that there exists basic network connectivity between your ... you will want to configure your FreeBSD machine as a NAT gateway. ... of NAT functionality is usually a function contained within a firewall. ...
    (freebsd-questions)
  • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
    ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
    (microsoft.public.security)
  • Re: Switching IP address ranges
    ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to ... - The sonicwall is within my main network because it provides managed ... I have changed LAN IP subnets more than once on some relatively small SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: 56k dial up on laptop 802.11G ?
    ... are you now a believer that I can control outgoing traffic without ... >>the definition of a network firewall. ... > that NAT is a real firewall because it functions to protect the LAN ...
    (alt.internet.wireless)