Re: DMZ - Network topology

From: Adie (a_usenetizen@hotmail.com)
Date: 02/21/03 

From: Adie <a_usenetizen@hotmail.com>
Date: Fri, 21 Feb 2003 07:54:32 +0000

Karl Levinson [x y] mvp wrote:
>"Adie" <a_usenetizen@hotmail.com> wrote in message
>news:312a5vkvbkqf3p822ql0407k9u03vjkvi6@4ax.com...
>
>> Hi Jeff, unfortunately I haven t purchased the firewall yet, so reading
>> the docs is impossible. Just looking for general information before I make
>> an decisions on which way to go about the design.
>
>Well, you're not going to get the best security if you try to design the
>firewall with no firewall experience. However, depending on your needs and
>your budget, this might be enough security for you. [It might or might not
>be enough to prevent hacking, it's hard to say.] Getting help, free or
>paid, from someone knowledgeable in the area is helpful. [Note though that
>there are plenty of paid consultants that don't know how to set up a
>firewall securely either.]
>
>Having said that, different firewalls have different features and use
>somewhat different methods for protection. If you are planning to configure
>and support this firewall yourself, best try to identify a major firewall
>manufacturer that is known for ease of support and configuration... and
>probably a good GUI. I might recommend www.netscreen.com 5XP which starts
>around $500 US. You'll be hard pressed to find a cheaper firewall than that
>that has an acceptable GUI and feature set, unless you go with something
>from www.netgear.com or even www.linksys.com If you want to go more
>expensive, you could consider a Nortel Contivity switch, Nokia IP device or
>something from intrusion.com, which all generally start around $800 to $1200
>US. The devices over $500 listed here typically come with VPN for faster
>remote access to the office network while out of the office.
>
>If you're a beginner to this and you're the main support for this, I'd
>probably stay away from Cisco and Microsoft ISA.
>
>At those prices, though, you're probably not going to get a real DMZ, unless
>you buy two of the firewalls. Note that there are two common DMZ setups...
>one setup is a single firewall with a third network card that goes to the
>isolated DMZ network, and another setup is two firewalls with at least two
>network interfaces each, and the DMZ is often the network in between the two
>firewalls. However, in each case, the amount of security you have depends
>on how well you set up the rules on each firewall. These are probably not
>the only two DMZ setups, but it's a start and should be pretty secure.
>Getting a firewall with a third network interface for a DMZ usually costs
>extra, sometimes a lot extra.
>
>One very inexpensive solution would be to download and try a free linux
>firewall that boots off of a boot CD or floppy and runs on an old 486 or 586
>computer. The advantage here is that you can afford to do all sorts of
>fancy things that would cost a lot with other firewalls, like add a third
>network card, have a spare firewall in case of hardware failure, build a
>better DMZ using more than one firewall, etc. Even though these are linux,
>some of them claim to have an easy to use GUI aimed at home and small office
>users. Also, most cities have third party tech support consultants that
>should support Linux firewalls, even perhaps allowing 24x7 on-site tech
>support, something you won't get typically from other vendors. The
>disadvantage is that if something goes wrong, you'd want to know linux.
>
>http://securityadmin.info/faq.htm#firewall

Thanks, that's extremely helpful. I have a little experience with Linux
programming, but not much at all in administration. I was thinking of this
kind of topology, but ive sort of just pulled it out the hat without too
much research.

                [ADSL NAT Router Switch]
                        | |
                [web server][firewall]
                                |
                        [16 port switch]
                                |
                        [ ethernet ]

I was then planning on making rules in the firewall limiting how the web
server could talk to the database server on the LAN.

Does the above setup offer anything other than superfluous protection?

I think ideally I need the time to read the o'reilly Firewall book,
unfortunately i'm on the home run to finishing college so my time is kinda
limited and they don't want to spend any extra money on outside help.

The imperative security issue is the LAN, the web server can be trashed
for all I care, it isn't running mission critical apps, more of an added
service to employees out in the field, a 24 downtime period wouldn't hurt,
but a break in to the LAN would.

Hmmm, what to do, what to do... Thanks for the time BTW.

Relevant Pages

  • Ang: RE: Firewall and DMZ topology
    ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
    (comp.security.firewalls)
  • Re: Firewall and DMZ topology
    ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
    (Security-Basics)
  • RE: Basic Network Configuration
    ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ...
    (Security-Basics)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)