So your router and firewall are two separate machines?
Seems redundant to me, most firewalls do routing as well. The only reason you would need a router is if the firewall wasn't on the same subnet.
No, it's standard practice for the ultraparanoid.
The idea is, if your outer wall is compromised, hopefully you can limit the damage before Kevin Mitnick gets all the way into your shorts.
You might want to put a honeypot in there too.
Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example. He would need to VLAN off that connection as well, or use a separate switch not connected to the LAN.
I am part way to the actual goal of one of the following:
put another NIC in the router and that new NIC goes physically to the firewall on its own subnet
put the firewall on its own subnet and dual home the single NIC in the router
Just haven't had time to figure out which is best and learn the revisions needed to the iptables rules and routing and subnet masking etc.
must of my setups are automated with scripts. clients get their IP's with dhcp. this includes mask, subnet, time server and router. Wish I could also require an ID/Pass to get an IP :)
Jeremy Fowler wrote:
So your router and firewall are two separate machines?
Seems redundant to me, most firewalls do routing as well. The only reason you would need a router is if the firewall wasn't on the same subnet.
No, it's standard practice for the ultraparanoid.
The idea is, if your outer wall is compromised, hopefully you can limit the damage before Kevin Mitnick gets all the way into your shorts.
You might want to put a honeypot in there too.
Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example. He would need to VLAN off that connection as well, or use a separate switch not connected to the LAN.
--- Jeremy Fowler wrote:
So your router and firewall are two separate
machines?
Seems redundant to me, most firewalls do routing
as well.
The only reason you would need a router is if the
firewall
wasn't on the same subnet.
No, it's standard practice for the ultraparanoid.
The idea is, if your outer wall is compromised,
hopefully you can
limit the damage before Kevin Mitnick gets all the way into your
shorts.
You might want to put a honeypot in there too.
Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example.
If the firewall is compromised there is no way to prevent any computer connected to any network that has internet access from being attacked no matter how elegant your network design. I find the it is better to use a simple network plan from a safe-yourself-headaches perspective.
I much prefer this type of set up
+----------+ | internet | +----------+ | | firewall honeypot +------------+ +-----------+ | 10.1.1.1 | ------ | 10.1.1.10 | (switch 1) +------------+ +-----------+ | | +-----------+ | 10.1.1.2/ | router | 172.1.1.1 | (two nics) +-----------+ | | +----------+ | localnet | (switch 2) +----------+
However, I do not have a honeypot currently and hence no need to seperate the firewall and router, thus negating the need for two switches. Also, I use my firewall/router as the gateway so one of the two nics has a real world ip and the other is to the local lan.
From what I can see of the network here described the
firewall is the gateway to the internet, but there is something meissing from the description. I see the router as a useless box on the network and any pc connected to the network can bypass the router and route directly through the firewall.
This is the network I see described.
(internet) ---- (cablemodem) | | [ real ip addr ] (gateway/firewall?) [10.1.1.1] | __________|_____________________ | | | 10.1.1.30 10.1.1.10 10.1.1.2 host 1 host 3 host 2 (router)
Now an intelligent ip protocol will bypass the router once it has found the gateway, so traffic only goes through the router the first time. Correct me if I'm wrong in any of this. I don't see the internet gateway in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see only the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to two networks (LAN & internet).
Brian JD
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Now an intelligent ip protocol will bypass the router once it has found the gateway, so traffic only goes through the router the first time. Correct me if I'm wrong in any of this. I don't see the internet gateway in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see only the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to two networks (LAN & internet).
Brian JD
the piece of the puzzle that appears absent from your communicated understanding of the situation in discussion is that the box that is talking to the internet is doing network address translation, so even an IP stack that would bypass a hop if it can will do no such thing.
--- David Nicol wrote:
Now an intelligent ip protocol will bypass the
router
once it has found the gateway, so traffic only
goes
through the router the first time. Correct me if
I'm
wrong in any of this. I don't see the internet
gateway
in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see
only
the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to
two
networks (LAN & internet).
Brian JD
the piece of the puzzle that appears absent from your communicated understanding of the situation in discussion is that the box that is talking to the internet is doing network address translation, so even an IP stack that would bypass a hop if it can will do no such thing.
That's an incorrect conclusion. The place where NAT will happen is only on the firewall, unless the router is also running a firewall. I didn't see that in the specs of the network in question. While the NAT machine is going to translate the local address, and there really is no way to skip the firewall (if the network is configured properly), I was stating that the router isn't part of the communications after the initial connection. Depending on the rules in the firewall, it is possible to prevent any outgoing packet from any location other than the router, however, this may break connections. I think that a route can only prevent "initial" connections coming from any pc other than the router. I'd have to go and read the RFCs, but IIRC once a connection is "established" it will bypass the router if that makes a shorter route. This is what you *want* to happen anyway, if your router is seperate from the firewall. If the firewall is compromised though, all bets are off. Of course, it's easy to test my hypothesis by running ethereal on the router, firewall and client pc.
Brian JD
______________________________________________________ Click here to donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/
On 9/5/05, Jack quiet_celt@yahoo.com wrote:
read the RFCs, but IIRC once a connection is "established" it will bypass the router if that makes a shorter route. This is what you *want* to happen anyway, if your router is seperate from the firewall. If the firewall is compromised though, all bets are off. Of course, it's easy to test my hypothesis by running ethereal on the router, firewall and client pc.
Brian JD
what gets bypassed with established TCP connections is the firewall rules, as an optimization for reducing CPU load on firewall machines. That's TCP connections, not routes. Routes must involve routers unless there is direct connection, (or faking of direct connection through VPN bridging or something like that)
Ummm... no. Wrong on both accounts. See Jeremy's post about source-routing for one method. The firewall rules are never bypassed, that's why you need rules to specifically allow "established" connections. It is also why when writing your rules you want to put those rules near the top so that established connections don't have to run the entire gamut of the ruleset to get an up/down vote on whether to accept. Now maybe some firewalls resort the rules to get this behavior, but I haven't seen this with any Linux software firewalls.
Brian --- David Nicol davidnicol@gmail.com wrote:
On 9/5/05, Jack quiet_celt@yahoo.com wrote:
read the RFCs, but IIRC once a connection is "established" it will bypass the router if that
makes
a shorter route. This is what you *want* to happen anyway, if your router is seperate from the
firewall.
If the firewall is compromised though, all bets
are
off. Of course, it's easy to test my hypothesis by running ethereal on the router, firewall and
client
pc.
Brian JD
what gets bypassed with established TCP connections is the firewall rules, as an optimization for reducing CPU load on firewall machines. That's TCP connections, not routes. Routes must involve routers unless there is direct connection, (or faking of direct connection through VPN bridging or something like that)
-
David Nicol -
hanasaki -
Jack -
Jeremy Fowler