Re: Using two internet connections with one firewall
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 06/10/03
- Next message: chrisclu: "Re: Believe I'll Try OUTPOST!!"
- Previous message: ObiWan: "Re: Server Firewall"
- In reply to: Bob Moriarty: "Re: Using two internet connections with one firewall"
- Next in thread: Q: "Re: Using two internet connections with one firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Jun 2003 15:16:28 GMT
Bob Moriarty (Bob@NJ-Networks.com) wrote:
: "Darren Bray" <darrenb@fwbaker.co.uk> wrote in message
: news:6e50cc6e.0306090736.69530011@posting.google.com...
: > Hi all hope you can help with this:
: >
: > I currently have FW1 with 3 nics (Internet,DMZ,LAN)
: >
: > We have recently added a second internet connection (satelite) to the
: > network to get rid of some bandwith problems we were experiencing.
: > (Upgrading the Kilostream was too expensive)
: >
: > The issue with this is that the LAN is not protected by the firewall
: > any more and obviously poses a BIG security threat.
: >
: > In a separate project I was looking at replacing the FW1 with a
: > sonicwall box, but understand that the sonicwalls only have 3 NIC's
: > and so I won't be able to add the satellite link to the Firewall. If I
: > stick with the FW1 setup, then I would have to look at solutions for
: > covering the satelite I would imagine using a fourth NIC.
: >
: > Another option is to keep the FW1 box for kilostream, and add a
: > sonicwall for the DMZ
: >
: > Can anyone give me an insight as to the best way of handling this
: > issue?
: >
: > Thanks
: >
: > Darren
: You need a separate firewall for each internet connection. Connect the LAN
: sides of the firewalls to a hub/switch and then into another router. Conncet
: the rest of the LAN downstream from this router. If you are dhcp booting,
: you should do it from the inside router. You'll have to manually add routes
: to the router to specify both paths unless the devices support RIP.
This is not correct [for FW-1 and several other firewall's as well]. All you need is
a separate interface if you need a different security policy for the two internet
connections or a router with an interface to the firewall [for policy], interfaces
to the two internet connections and appropriate routing information.
Your approch is an alternative but I would advise placing the router above the
firewall and reduce the requirement for a second firewall as well as the fun of
maintaining appropriate routes inside your perimeter. You eliminate also the
need for a switch/hub inside.
For Mr. Bray, the most appropriate approach [i think based on what he has said]
is to add a fourth interface to the FW-1 and then modify the policy appropriately.
FW-1 has no concept of external, internal, DMZ or whatever and simply applies the
appropriate policy decision based on source and destination. The only exception is
if you are using a license limited to a set number of IPs. In this case, you can have
one 'external' interface. This will be the interface for which distinct IPs are not
counted. The router solution might be best in this case.
Richard H. Miller, MCSE, CCSA
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
- Next message: chrisclu: "Re: Believe I'll Try OUTPOST!!"
- Previous message: ObiWan: "Re: Server Firewall"
- In reply to: Bob Moriarty: "Re: Using two internet connections with one firewall"
- Next in thread: Q: "Re: Using two internet connections with one firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
