Oh, wow - I remember this thread. It was weird.
> -----Original Message-----
> From: Dennis Dai [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 24 February 2001 6:58
> To: [EMAIL PROTECTED]
> Subject: Dual firewall question (revisited)
>
>
> Last October there was a thead talking about dual firewall
> configuration:
>
> http://www.geocrawler.com/mail/thread.php3?subject=Dual+firewa
> ll+question&list=90
>
> (link may be wrapped)
>
> The question was how you are going to serve web pages when you have 2
> ISPs and thus 2 firewalls (web server is behind the 2 firewalls). So
> far, the solutions are:
>
> 1. use ALG on firewall (from mouss)
> 2. put another NAT box in front of the firewall to translate
> the source
> IP from the client (from Ben)
Both of these solutions are functionally equivalent. The crux of the
solution is that they both result in different IP addresses (per origin ISP)
being presented to the web server, and thus the WWW box can have different
gateways configured to reach each address pool.
Doing it my way, you'd do the INAT thing on your border routers, or on your
firewalls - whichever.
Doing it mouss's way, you just need a reverse proxy (ALG, whatever you want
to call it) on at least one of the firewalls. Note that the FWTK http-gw is
not designed as a reverse proxy, so it might not add much security. I don't
know a decent reverse proxy from a security standpoint, offhand.
Note that the third 'solution' of running two NICs in the WWW box is broken,
as mouss pointed out. I argued at the time, but that's because the Brain
Fairy had obviously replaced my grey matter with walnuts the night before.
> My questions are:
>
> - For the first solution, will the ALG breaks SSL server and client
> authentication (via server and client certs)? If not, what ALG is
> suitable for this kind of task? SOCKS4/5, FWTK come into mind.
Uh, no it shouldn't. Anything that proxies SSL should not mess with any of
the payload. It's really just a plug proxy (in FWTK terms).
> - For the second solution, is it possible to combine the NAT and
> firewall box into one (assuming I'm going to use ipfilter in both
> boxes)? My analysis is not likely (without some serious
> hacking into the
> code, which I'm not really good at). :-(
Should be. I haven't looked to see if ipnat / ipfilter does INAT, but I
would imagine so. If both the WWW box's ip addresses are real (as in the
original problem) you could always cheat and just switch the inside /
outside for NAT purposes.
> Thanks in advance for any input.
>
> Dennis
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
