[97875] in RedHat Linux List
firewall layout, need feedback
daemon@ATHENA.MIT.EDU (Alex Vorobiev)
Thu Nov 5 15:04:06 1998
From: Alex Vorobiev <sasha@forum.swarthmore.edu>
To: redhat-list@redhat.com
Date: Thu, 5 Nov 1998 15:01:51 -0500 (EST)
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
folks,
i am familiar with Building Internet Firewalls, Firewall FAQ, and a number of
other documents. my goal is to get feedback and recommendations from people
based on real-life experiences.
i understand that this inquiry is pretty vague, but i would appreciate any
input on the matter.
for the sake of simplicity, let's assume a few things:
a new web service/development entity wants to build a secure
network. it's registered as a class C net. the network will
consist of 2 major parts: publicly available (perimeter, or DMZ)
and intranet (internal development network). the emphasis is on
inbound traffic; local users presumed trustworthy, and proxying
is not a priority. the entity has funds to afford commercial
firewall products if necessary (the goal is to built a secure
net and stay within a reasonable budget).
here's the tentative layout (should seem pretty typical):
ISP
-----------------------------------------------------------
cisco router (possibly with IOS Firewall)
packet filtering, default to deny
-----------------------------------------------------------
perimeter net
ether switch to prohibit packet sniffing
SMTP forwarding server, anon. ftp, web server(s),
fake DNS server
-----------------------------------------------------------
internal router or screening host, NAT
more restrictive packet filt.
-----------------------------------------------------------
intranet (using private IPs, 192.168.x.x ...)
NNTP, SMTP, intern. DNS, SQL server(S), development
and client machines
questions:
(1) commercial packet firewall vs., say, Linux IP filtering.
seems that Linux ip firewall supports most of the features
offered by commerc. products with the exception of dynamic
ports (screening traffic and dynamically opening certain
ports for the duration of the session). anything else?
(2) some sources suggest not to put high-maintenance services
(NNTP, SQL, CGI-web) on the perimeter net (as opposed to
intranet). trade-offs?
(3) internal router: hardware piece, or soft. package running on
a host?
any real-life applications, issues, suggestions would be appreciated.
thanks for your help and patience.
--sasha / sasha@forum.swarthmore.edu
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.