Actually, Larry did answer some of the question. The default route idea
would work fine - all the addresses for your own LAN will be more specific
than the default route out of the remote site.
Let's make that more explicit - a packet destined for one of the known
"internet" addresses in your DMZ would match a route entry like 12.13.14.0
255.255.255.0, and head out of the WAN link, while a packet for Elsewhere
would not match any of the specific addresses and match 0.0.0.0 (default
route) and get shoved out of the ISP link at the remote site.
I would use a real router instead of a Linux box - I don't know how much a
Cisco 801 or 1603 costs over there, but probably less than a PC and an ISDN
card and all the screwing around setting up a Linux firewall. You can set up
NAT and a filter to only allow traffic on port 80 and only when it's
"established" (ACK bit set). This will make you as secure as HTTP gets (not
very, as lots of people have been ranting about recently). Please consider
using a proxy server at each site, if only for the minor security win. If
you've got lots of time you can try a HTTP proxy that does some sanity
checking (TIS?).
Since you lose security by not having a single choke point, I would tend to
trust the branch offices less, and see if I could set up some filters on the
WAN links coming into the head office. I guess I should note that this is
Not Real Secure (tm), so you need to do a risk assessment. The alternative
you're weighing it against is getting big enough WAN links so they will
support browsing through the head office proxy server.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, May 29, 1999 12:14 AM
To: [EMAIL PROTECTED]
Subject: Re: [Q] Multiple endpoints for Internet
Not really - I thought of the default route, but each remote
would have its own Internet connection, but still need to access the
"Internet" (public addresses) of the email server(s) from within
inside! (I don't want to open the firewall at the main site for POP3
message retrieval from the Internet) ... does it make sense ?!?
And, also, if possible - any real life hardware experience with
ISDN dial-on-demand + firewall + NAT or proxy on a "cheapo"
implementation ...
Thanks again,
Calin
On 28 May 99, at 6:58, Larry Chin wrote:
>
> hmmm if I read this right ( in my hasty perusal of your message ) I would
> think that you could set up a router at the remote site that had routes to
> the various internal networks.
>
> In addition there would be a default route for any unknown networks ie:
> any networks external to your company, that would point at the Internet
> link for the remote site.
>
> So, when someone at the remote site wanted access to an internal network,
> the traffic would flow across the WAN link, since the destination is an
> "internal" network. Conversely when the destination was an external
> network the traffic would go out the ISDN link or whatever.
>
> Hope that answers the question.
>
> ===================================================================
> Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
> Sprint Canada 2550 Victoria Park Avenue
> Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
> Fax: 416.498.3507 M2J 5E6
> ===================================================================
>
> On Thu, 27 May 1999 [EMAIL PROTECTED] wrote:
>
> > Probably a very common scenario: corporate headquarters with a
> > setup similar to: Internal network with private address pool, DMZ with
> > public address and Internet connection via leased lines, with
> > appropriate firewall / routers / proxy implementation. The DMZ has
> > the proxy, email server, Web server, FTP server, name server, etc.
> > Now - all remote offices are connected via leased lines to the
> > headquarters (WAN setup, but with slow inter-LAN links), separated
> > by routers on their own (also private addressed, obviously) nets.
> > Everybody needs to get access to the DMZ (which is reachable only
> > via the headquarter router, through a proxy and firewall) for email,
> > etc., but I want the remotes would to get access for browsing and
> > other time-consuming or resource-consuming tasks ONLY via their
> > own dial-on-demand (I am thinking, perhaps using ISDN)
> > connections, and appropriate firewalling at each place.
> > My questions:
> > 1. Has anybody implemented this type of arramgement? What would
> > be some concerns / recommendations in terms of dial-on-demand +
> > routing + firewalling at the remotes, when having to communicate
> > with the Internet "two-ways" (through to the headquarters also, for the
> > email servers)?
> > 2. Any recommendations for very "financially sound" (i.e. cheap)
> > solutions? I was thinking into ISDN cards on a Linux box, with the
> > same box as firewall and (perhaps) masquerading, but have never
> > done this (don't even know if it's possible).
> >
> > TIA for any hints/pointers to real life experience, or theoretical
> > advises,
> > Calin
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
-----------------------------
Stefan Mititelu
Manager Network Services
Panduit Corporation
Email: [EMAIL PROTECTED] (business related)
[EMAIL PROTECTED] (personal)
Phone# (708)532-1800
Fax# (708)532-9811
2-way pager# (888)327-5567
-----------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
