routing problem - fork on gateways

Jack quiet_celt at yahoo.com
Fri Sep 2 17:14:32 CDT 2005 

--- Jeremy Fowler wrote:

> 
> > > So your router and firewall are two separate
> machines? 
> > Seems redundant to me, most firewalls do routing
> as well.  
> > The only reason you would need a router is if the
> firewall 
> > wasn't on the same subnet.
> > 
> > No, it's standard practice for the ultraparanoid. 
> 
> > 
> > The idea is, if your outer wall is compromised,
> hopefully you can
> > limit the damage
> > before Kevin Mitnick gets all the way into your
> shorts.
> > 
> > You might want to put a honeypot in there too.
> 
> 
> Not in this scenario. The firewall is on the SAME
> subnet as the router and hosts. If the firewall was
> compromised, there would be nothing stopping it from
> attacking the rest of the hosts. In order to
> establish a DMZ, he needs to place the firewall on a
> separate subnet off from the rest of the network for
> it to be secured like in my second example. 

If the firewall is compromised there is no way to
prevent any computer connected to any network that has
internet access from being attacked no matter how
elegant your network design. I find the it is better
to use a simple network plan from a
safe-yourself-headaches perspective.

I much prefer this type of set up

+----------+
| internet |
+----------+
      |
      |  firewall        honeypot
+------------+         +-----------+
|  10.1.1.1  |  ------ | 10.1.1.10 |   (switch 1)
+------------+         +-----------+
     |
     |
+-----------+
| 10.1.1.2/ | router
| 172.1.1.1 |  (two nics)
+-----------+ 
     |
     |
+----------+
| localnet |         (switch 2)
+----------+

However, I do not have a honeypot currently and hence 
no need to seperate the firewall and router, thus
negating the need for two switches. Also, I use my
firewall/router as the gateway so one of the two nics
has a real world ip and the other is to the local lan.
>From what I can see of the network here described the
firewall is the gateway to the internet, but there is
something meissing from the description. I see the
router as a useless box on the network and any pc
connected to the network can bypass the router and
route directly through the firewall.

This is the network I see described.

(internet) ---- (cablemodem) 
             |
             |
       [ real ip addr ]
     (gateway/firewall?) 
         [10.1.1.1]
            |
  __________|_____________________
 |               |                |
10.1.1.30    10.1.1.10       10.1.1.2
 host 1        host 3          host 2
                             (router)

Now an intelligent ip protocol will bypass the router
once it has found the gateway, so traffic only goes
through the router the first time. Correct me if I'm
wrong in any of this. I don't see the internet gateway
in the description of the LAN anywhere, so I've
assumed that the firewall is the gateway. I see only
the firewall with a local address connected to the
cable modem, which I don't think will work the way
described. Something here has to be connected to two
networks (LAN & internet). 

Brian JD

                    
                      
   

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Kclug mailing list