I'm trying to get a plan together to set up a firewall on a network and
have some issues that I haven't sorted out yet. Perhaps someone can help me.
Currently the network is on a full Class C address space, with a router to
the internet. The router provides the current security, but it's very
limited. There is no NAT going on and preferably it should remain that way
(just want to filter traffic).
My idea is to create a screened subnet using a merged interior/exterior
router in addition to the existing router. The merged router (firewall)
ends up being a triple-homed host (FreeBSD box), with a NIC to the
internet, a NIC to the perimeter network, and a NIC to the internal
network. The internet router only talks to the FreeBSD box, which permits
some communication with servers on the perimeter network (FTP, WWW, mail,
etc), and keeps a tighter watch on traffic to and from the internal network
(even if it's from the perimeter network, in case one of those servers
becomes compromised).
With me so far?
Ok. So to firewall, we need to route, and to route, we need to
subnet. Barring any faults in my ideas so far, I'm stumped as to how to
subnet the current Class C to easily permit this and make best use of the
address space. So far they've been spoiled with their addressing, but no
more after this. I've never had to subnet into a Class C before, so I did
my homework and it would seem that subnets must all be of equal size. This
is bad, because the perimeter network only needs to support a few hosts,
while the internal network needs to support a much larger number (I don't
need a third subnet, figuring I can use a private address space such as
10.0.0.1 <-> 10.0.0.2 for the segment between the internet router and the
FreeBSD box, correct?).
Of course, as I'm just diving into subnetting, I'm still a little
confused. If I were to divide into 2 subnets, would it be 62 or 126 hosts
per subnet? 62 would be too small, while 126 would be annoying but perhaps
liveable (not to mention a waste, as the perimeter network doesn't need
anywhere near that).
Now, if I could subnet for up to 14 hosts on the perimeter network, and
leave... what, 182? hosts on the internal network... that would be
ideal. But I'm out of my league trying to figure out if such a thing is
possible. Is it? How?
Any advice/insight/nudges-in-the-right-direction appreciated. Thanks a bunch.
-----------------------
Scott I. Remick [EMAIL PROTECTED]
Network and Information (802)388-7545 ext. 236
Systems Manager FAX:(802)388-3697
Computer Alternatives, Inc. http://www.computeralt.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
