--- Jeremy Fowler wrote:
So your router and firewall are two separate
machines?
Seems redundant to me, most firewalls do routing
as well.
The only reason you would need a router is if the
firewall
wasn't on the same subnet.
No, it's standard practice for the ultraparanoid.
The idea is, if your outer wall is compromised,
hopefully you can
limit the damage before Kevin Mitnick gets all the way into your
shorts.
You might want to put a honeypot in there too.
Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example.
If the firewall is compromised there is no way to prevent any computer connected to any network that has internet access from being attacked no matter how elegant your network design. I find the it is better to use a simple network plan from a safe-yourself-headaches perspective.
I much prefer this type of set up
+----------+ | internet | +----------+ | | firewall honeypot +------------+ +-----------+ | 10.1.1.1 | ------ | 10.1.1.10 | (switch 1) +------------+ +-----------+ | | +-----------+ | 10.1.1.2/ | router | 172.1.1.1 | (two nics) +-----------+ | | +----------+ | localnet | (switch 2) +----------+
However, I do not have a honeypot currently and hence no need to seperate the firewall and router, thus negating the need for two switches. Also, I use my firewall/router as the gateway so one of the two nics has a real world ip and the other is to the local lan.
From what I can see of the network here described the
firewall is the gateway to the internet, but there is something meissing from the description. I see the router as a useless box on the network and any pc connected to the network can bypass the router and route directly through the firewall.
This is the network I see described.
(internet) ---- (cablemodem) | | [ real ip addr ] (gateway/firewall?) [10.1.1.1] | __________|_____________________ | | | 10.1.1.30 10.1.1.10 10.1.1.2 host 1 host 3 host 2 (router)
Now an intelligent ip protocol will bypass the router once it has found the gateway, so traffic only goes through the router the first time. Correct me if I'm wrong in any of this. I don't see the internet gateway in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see only the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to two networks (LAN & internet).
Brian JD
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com