Re: Cascading firewalls
- From: Wolfgang Kueter <wolfgang@xxxxxxxxxxxx>
- Date: Mon, 05 Dec 2005 22:20:30 +0100
Am Mon, 05 Dec 2005 15:05:44 +0000 schrieb jKILLSPAM.schipper:
> Gearoid <gp_lally@xxxxx> wrote:
>> Hello
>>
>> I'm running Smoothwall Express 2 and would like to run a second "firewall"
>> or proxy server behind it, mainly to filter out inappropriate content for
>> children. I am using a separate Linux box (SuSE 10) with Squid and
>> DansGuardian (www.dansguardian.org) for this purpose.
>>
>> I think the normal way of connecting this lot is to have the second
>> Smoothwall NIC running to a switch and to have all the other PCs on the LAN,
>> *including* the proxy, running to the same switch, with redirecting going on
>> in the firewall to restrict outward access to proxy only. I don't
>> understand much about redirecting, and I was wondering if it is possible to
>> connect the machines another way, like this:
>>
>> |
>> |
>> |
>> Smoothwall External Interface (DHCP assigned IP from ISP)
>> |
>> Smoothwall Internal NIC (Static, eg. 192.168.0.1)
>> |
>> |
>> [[[Crossover cable]]]
>> |
>> |
>> Squid\DG box External NIC (DHCP from Smoothwall eg. 192.168.0.200)
>> |
>> Squid\DG box Internal NIC (Static, eg. 192.168.40.1)
>> |
>> |
>> [[[24-port switch]]]
>> |
>> |
>> Clients (DHCP from Squid\DG eg. 192.168.40.100, 192.168.40.99, etc.)
>>
>> Would this work, and would it be considered more secure than having
>> firewalling and proxying on the one machine?
>>
>> I understand I need to enable IP masquerading on the Squid\DG box to route
>> traffic from the LAN to Smoothwall. How do I go about this, and do I need
>> to enable the firewall on the Squid\DG box as well, at least for the
>> internal network? And finally, besides the static IP on the internal NIC of
>> the Squid\DG box do I need to assign a gateway statically as well, and if
>> so, what gateway? The Smoothwall internal NIC, or the Squid\DG external
>> NIC?
>>
>> Thank you for taking the time to read this. My apologies if it isn't
>> entirely firewall-related.
>
> This would work, yes. And not having firewall and proxy on the same
> machine is a good thing, as the firewall will still protect you
> somewhat.
>
> However, it would be better to have the proxy server segmented from the
> LAN, as a compromised proxy server - and, let's face it, Squid is not
> unbreakable - would grant total access to the LAN, no matter if the
> firewall is 'in front of' the proxy server or the same machine. In fact,
> in the first scenario, only egress filtering would continue to work
> somewhat, and even then, a skilled attacker can always open some form of
> tunnel into your network.
>
> You are proposing this:
>
> The net
> |
> FW
> |
> Proxy
> |
> LAN
>
> Which is better than
>
> The net
> |
> FW+Proxy
> |
> LAN
>
> but not quite as good as
>
> The net
> |
> FW---- Proxy
> |
> LAN
which is not as good as:
Internet
|
external packet-filter
|
+-------Proxy/ALG with 1 NIC
|
internal packet-filter
|
LAN
which is not is as good as:
Internet
|
external packet-filter
|
Application Lecel Gateway with 2 NIC
|
internal packet-filter
|
LAN
Wolfgang
.
- Follow-Ups:
- Re: Cascading firewalls
- From: jKILLSPAM . schipper
- Re: Cascading firewalls
- References:
- Cascading firewalls
- From: Gearoid
- Re: Cascading firewalls
- From: jKILLSPAM . schipper
- Cascading firewalls
- Prev by Date: Re: Firewall shows ports being used in sqeuence
- Next by Date: ZoneAlarm problem
- Previous by thread: Re: Cascading firewalls
- Next by thread: Re: Cascading firewalls
- Index(es):
Relevant Pages
|
