[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: RE: [fw-wiz] Classes of firewalls (based on IP utilization)
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic ! com>
Date: 2001-02-27 16:00:47
[Download RAW message or body]
We've been in similar situations with our
lab network here.
I would concur with the recommendation below,
to use a bridging firewall (or firewalling
bridge). Best example in the commercial
category is the Lucent Managed Firewall
"brick" - 3 or 4 Fast Ethernet Interfaces,
fancy Java GUI and server process, neato-whizbang
features. It's still essentially a stateful
packet filter, though, and costs fairly
serious money...so you can also just
throw two NICs into a current OpenBSD box
and set up IPFilter. If you try the latter (or
the former) and you have problems with the
config, send me what you've got and
I might be able to diagnose. (There are
other bridging firewall solutions out there,
I'm sure, but the two above are what I
have personally used. I'd love to know
of more, though...)
Alternatively, you could subnet the class C,
and have (for example) a /28 for the "DMZ"
(inside router to external of firewall),
and then a mish-mosh of small subnets for
the rest of the interior. You've said that
you don't want to do that, and it would
be ugly and painful, so I include it only
for completeness.
The other alternative I've seen is to
put NAT-capable proxy firewalls behind
that packet-filtering router, and not
put any critical systems on the actual
Class C. We're using both this and
OpenBSD boxen to allow us to shift our
network architecture around quickly when
we change what products/projects are
active in our lab. Again, you said
you only want to work with "real" IPs,
and I would agree with that goal...but
since you didn't provide a rationale,
I would suggest that you might re-consider.
YMMV, HTH, and good luck.
Rip Loomis Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com
> -----Original Message-----
> From: Todd Barlow [mailto:todd@lightspeedsystems.com]
> Sent: Monday, February 26, 2001 3:25 PM
> To: 'list tracker'; firewall-wizards@nfr.com
> Subject: RE: [fw-wiz] Classes of firewalls (based on IP utilization)
>
>
> I would suggest a Firewall that will allow for "bridging"
> between two (or
> more) Interfaces.
> In this mode, both Interfaces can be on the same subnet (but different
> network segments) and don't route traffic, only "bridge" it
> (layer-2) across
> segments.
>
> There may be other solutions, but this sounds easiest.
>
> Todd Barlow
> Lightspeed Systems, Inc.
> ph: 661.324.4291
> http://www.lightspeedsystems.com
>
>
> -----Original Message-----
> From: list tracker [mailto:list_tracker@hotmail.com]
> Sent: Sunday, February 25, 2001 02:43 AM
> To: firewall-wizards@nfr.com
> Subject: [fw-wiz] Classes of firewalls (based on IP utilization)
>
>
>
> So far, I have created the following types of firewalls:
>
> 1. One subnet (or even one IP) on the external interface, and
> another subnet
>
> of fake IPs on the internal, using NAT one <--> many.
>
> 2. One subnet of real IPs on the external, and one subnet of
> real IPs on the
>
> internal, with a next-hop route from the external subnet to
> the internal
> (said next hop route is set up on the router the firewall
> connects outwards
> to)
>
> I am wondering what can be done if I want to use ONLY real
> IPs, but I also
> only want to use ONE subnet. If I have a /24, with no
> subnets, and the
> router is .1, and the FW external is .2, and the FW internal
> is .3 and
> workstations are .4 - .254 ... is there a way to work this ?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic