How many firewalls?
Hi! I want to set a up a DMZ in my school. The only thing I want to know, is: - Internet -> HARDWARE-ROUTER -> FW -> DMZ -> FW -> Intranet or - Internet | | Hardware-Router | | | FW DMZ _______/\______Intranet (I hope, this ascii art is good enough... :-/) Our school has no good connection and low traffic but this is for a skilled work (the german term is 'Facharbeit') and so I want a really secure thing (no, I won't cut the cable ;-D). Any comments or proposals? Thanks, Max
Hi! On Tue, Jan 15, 2002 at 08:30:29PM +0100, Max Lindner wrote:
I want to set a up a DMZ in my school.
- Internet -> HARDWARE-ROUTER -> FW(1) -> DMZ -> FW(2) -> Intranet
What do you mean by hardware router? Does it have some packet filtering capabilities?
or
- Internet | | Hardware-Router | | | FW DMZ _______/\______Intranet
(I hope, this ascii art is good enough... :-/)
It's fine :-) You might want to have a look at Zwicky et al.: Building Internet Firewalls. Second Edition, June 2000. O'Reilly. There are _dozens_ of possible configurations for firewalls. You could e.g. merge the hardware-router and the firewall into one machine. [Zwicky et al.]: "You can merge the interior and exterior routers into a single router, but only if you have a router sufficiently capable and flexible". Router in this context means a packet filtering router.
Our school has no good connection and low traffic but this is for a skilled work (the german term is 'Facharbeit') and so I want a really secure thing (no, I won't cut the cable ;-D).
The best configuration for your network depends on the requirements (which might sound rather trivial...). If the users in the intranet want to access services on the internet, you might want to proxy these services on the firewall or on a machine in the dmz or on a machine in a separate subnet. Proxies provide another layer of protection since you can configure what kind of access is allowed. You could e.g. have the following configuration: Internet | | | FW1 DMZ _______/\___FW2+Proxies____Intranet FW2 fetches all mail from the mail server, scans them for viruses and puts them into the mail spool files for the users on the intranet. It also serves as www proxy (e.g. via squid): All machines on the intranet are configured with FW2 as proxy. There are _lots_ of other possible configurations. Maybe it's better to put the proxies to the DMZ (FW2 is less vulnerable, but packet filtering rules are more complex). It depends. The book by Zwicky et al. is really good. If you can get your hands on it, read Chapter 6: Firewall Architectures. Best regards, Albert
* Albert Brandl wrote on Wed, Jan 16, 2002 at 09:19 +0100:
On Tue, Jan 15, 2002 at 08:30:29PM +0100, Max Lindner wrote:
- Internet -> HARDWARE-ROUTER -> FW(1) -> DMZ -> FW(2) -> Intranet
What do you mean by hardware router? Does it have some packet filtering capabilities?
Does it matters? Well, it's nice to have to different firewalls, i.e. linux and cisco or linux and BSD or so, since they won't have the same bugs, if they have.
The best configuration for your network depends on the requirements [just let me repeast :)]
Proxies provide another layer of protection since you can configure what kind of access is allowed.
Yes, and with proxies you can do more detailed control, since it works on application layer and understand the contents of the packages. With a packet filter, you can drop HTTP packets from i.e. yahoo.com. With a proxy, you can filter HTTP packets with gif content from yahoo.com or so.
You could e.g. have the following configuration:
Internet | | | FW1 DMZ _______/\___FW2+Proxies____Intranet
FW2 fetches all mail from the mail server, scans them for viruses and puts them into the mail spool files for the users on the intranet.
Why fetching? Why not put an SMTP server in the DMZ which forwards mail via proxy to internal LAN?
It also serves as www proxy (e.g. via squid): All machines on the intranet are configured with FW2 as proxy.
If you want to have a secure FW2 proxy, I would suggest to disable packet forwarding at all. Once in kernel via echo "0" > /proc/***??*/ip*_forward* and maybe additionally by firewall rules, shouldn't hurt :) Then you have two networks (from network transports point of view), it's much harder for an intruder to get in.
There are _lots_ of other possible configurations. Maybe it's better to put the proxies to the DMZ (FW2 is less vulnerable, but packet filtering rules are more complex). It depends.
If you put proxies in DMZ only, you cannot disable packet forwarder and you will rely on firewall rules. This is ok, but personally I like it more to have no packet forwarding at all; it is much more easy to check and configure that firewall rules (well, it may happen that a firewall rule accidentially bypasses another and so on). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi!
I want to set a up a DMZ in my school. The only thing I want to know, is:
- Internet -> HARDWARE-ROUTER -> FW -> DMZ -> FW -> Intranet
or
- Internet | | Hardware-Router | | | FW DMZ _______/\______Intranet
(I hope, this ascii art is good enough... :-/)
Our school has no good connection and low traffic but this is for a skilled work (the german term is 'Facharbeit') and so I want a really secure thing (no, I won't cut the cable ;-D).
Any comments or proposals?
Thanks, Max
Hi Max, I would prefer the first setup, because it better protects your internal network. If you for instance face a DoS-attack, the first FW acts as a bastion host. In the first setup you are also better able to place application-layer proxies in your DMZ to filter traffic from internet to your schoolnet and vice versa. I suggest you reading the "Firewall - Handbuch" (in german) at http://www.little-idiot.de/firewall/zusammen.html by Guido Stepken btw.: nomen *non* est omen in this this case kindly regards Mit freundlichen Grüßen Dr. H. Rosner Stadtverwaltung Jena Hauptamt / Datenverarbeitung Tel: 03641 49 4181 Fax: 03641 49 4167 eMail: ros@jena.de
participants (4)
-
Albert Brandl -
Dr. Harro Rosner -
Max Lindner -
Steffen Dettmer