[97875] in RedHat Linux List

home help back first fref pref prev next nref lref last post

firewall layout, need feedback

daemon@ATHENA.MIT.EDU (Alex Vorobiev)
Thu Nov 5 15:04:06 1998

From: Alex Vorobiev <sasha@forum.swarthmore.edu>
To: redhat-list@redhat.com
Date: Thu, 5 Nov 1998 15:01:51 -0500 (EST)
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com

folks,

i am familiar with Building Internet Firewalls, Firewall FAQ, and a number of 
other documents.  my goal is to get feedback and recommendations from people 
based on real-life experiences. 

i understand that this inquiry is pretty vague, but i would appreciate any
input on the matter.

for the sake of simplicity, let's assume a few things: 
	a new web service/development entity wants to build a secure 
	network.  it's registered as a class C net.  the network will
	consist of 2 major parts: publicly available (perimeter, or DMZ)
	and intranet (internal development network).  the emphasis is on
	inbound traffic; local users presumed trustworthy, and proxying
	is not a priority.  the entity has funds to afford commercial 
	firewall products if necessary (the goal is to built a secure
	net and stay within a reasonable budget).  

here's the tentative layout (should seem pretty typical):

ISP
-----------------------------------------------------------
cisco router (possibly with IOS Firewall) 
	packet filtering, default to deny
-----------------------------------------------------------
perimeter net
	ether switch to prohibit packet sniffing
	SMTP forwarding server, anon. ftp, web server(s),
	fake DNS server
-----------------------------------------------------------
internal router or screening host, NAT
	more restrictive packet filt.
-----------------------------------------------------------
intranet (using private IPs, 192.168.x.x ...)
	NNTP, SMTP, intern. DNS, SQL server(S), development
	and client machines


questions:

(1) commercial packet firewall vs., say, Linux IP filtering.
    seems that Linux ip firewall supports most of the features 
    offered by commerc. products with the exception of dynamic
    ports (screening traffic and dynamically opening certain
    ports for the duration of the session).  anything else? 

(2) some sources suggest not to put high-maintenance services
    (NNTP, SQL, CGI-web) on the perimeter net (as opposed to
    intranet).  trade-offs?

(3) internal router: hardware piece, or soft. package running on
    a host?


any real-life applications, issues, suggestions would be appreciated.

thanks for your help and patience. 
--sasha / sasha@forum.swarthmore.edu


-- 
  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
		http://www.redhat.com http://archive.redhat.com
         To unsubscribe: mail redhat-list-request@redhat.com with 
                       "unsubscribe" as the Subject.


home help back first fref pref prev next nref lref last post