My general rule of thumb is that if I can track a connection through
wires/routers/hubs from the inside to the outside without passing through a
firewall, then there is the potential for the firewall to be circumvented.
Packets can't go where there is no wires. Any exception to this would need
to be carefully reviewed; to me, its not work the relatively inexpensive
cost of a small hub.
Unless you have filters on your routers, you should assume that the
192.168.x.x networks will be routed to the Internet and that a hacker could
probably get them back to your network. Previous discussions in this group
showed that ISPs generally do not block those addresses. So, if you don't,
assume that they aren't.
If you are saying that you want to put inside systems on the hub serving the
outside, keep in mind that, if the "inside" system somehow configured itself
with an external IP address, it is now accessible from the outside. For
example, if "routing" was somehow enabled on the "inside" system (on the
external hub), all it needs is the proper router packet to hit and most
systems will auto-configure themselves to serve the newly discovered
network. What makes this really bad is that now you have a system with
access to both the "inside" and "outside" networks and which performs
routing without going through the firewall.
So, while you can do it and get away with it, I certainly wouldn't; I don't
even split my hubs using Virtual LANs.
> -----Original Message-----
> From: Quintin Holmberg [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, March 03, 2000 1:38 PM
> To: Firewall List
> Subject: Hub Setup
>
> Hello:
> I have recently been but in charge of a Linux firewall for a small
> company (15 employees) and am not very experienced with firewalling but
> am learning as I go. When I examined the hub configuration, I found
> that we have a hub coming in from the outside world, this hub connecting
> to the firewall, and the firewall connected to a second hub for the
> inside network. Now, I know this configuration is not mandatory and
> asked a fellow employee if it was necessary. He says they did it to add
> an additional level of security by having all traffic being forced
> through the firewall. Can anyone tell me if this does truly add a level
> of security. It seems to be that if I am using the 192.168.2.x ip
> range, that routers will not route, for the internal machines they are
> pretty safe from the outside world. Packets must still be routed
> through the firewall in order to be masqed and sent to the appropriate
> machine.
>
> I ask because I have rebuilt the firewall (It was in very bad shape) and
> now am looking to reconnect it. Not having this separation of hubs
> gives us more flexibility in assigning ports to computers that need to
> be outside the firewall vs. ones that need to be inside the firewall.
>
> By the way, the firewall is only used to keep people out of our internal
> network. We are in no way sort or form concerned about what our
> employees go out to.
>
> Thanks
> --
> Quintin Holmberg
> Anlon Systems, Inc.
> [EMAIL PROTECTED]
> Minnesota State University, Mankato
> Association For Computer Machinery Student Chapter Chair
> [EMAIL PROTECTED]
> icq# 60699066
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
