routing problem - fork on gateways
hanasaki
hanasaki at hanaden.com
Wed Aug 31 16:06:21 CDT 2005
I am part way to the actual goal of one of the following:
put another NIC in the router and that new NIC goes physically to the
firewall on its own subnet
put the firewall on its own subnet and dual home the single NIC in the
router
Just haven't had time to figure out which is best and learn the
revisions needed to the iptables rules and routing and subnet masking etc.
must of my setups are automated with scripts. clients get their IP's
with dhcp. this includes mask, subnet, time server and router. Wish I
could also require an ID/Pass to get an IP :)
Jeremy Fowler wrote:
>>>So your router and firewall are two separate machines?
>>
>>Seems redundant to me, most firewalls do routing as well.
>>The only reason you would need a router is if the firewall
>>wasn't on the same subnet.
>>
>>No, it's standard practice for the ultraparanoid.
>>
>>The idea is, if your outer wall is compromised, hopefully you can
>>limit the damage
>>before Kevin Mitnick gets all the way into your shorts.
>>
>>You might want to put a honeypot in there too.
>
>
>
> Not in this scenario. The firewall is on the SAME subnet as the router and hosts. If the firewall was compromised, there would be nothing stopping it from attacking the rest of the hosts. In order to establish a DMZ, he needs to place the firewall on a separate subnet off from the rest of the network for it to be secured like in my second example. He would need to VLAN off that connection as well, or use a separate switch not connected to the LAN.
More information about the Kclug
mailing list