> -----Original Message-----
> From: nico steenkiste [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 7 March 2001 7:54
> To: [EMAIL PROTECTED]
> Subject: firewall architecture
>
>
> Hi,
>
> Currently we are planning to implement a dual firewall setup,
> (dual, in my
> case meaning two firewalls which are connected to each other, not two
> load-balanced FW's + 2xInternetaccess)
> with a DMZ to secure our network and make DMZ servers
> available to the outside
> world (as well as to internal users!).
Uh, OK. It's not normal to do that. Most people tend to use locked-down
servers to present to the outside world and have different boxes for their
internal servers.
> But there's isn't much information available on how to setup such a
> configuration.
Depends on where you look, I guess. ;)
> We had the following setup in mind:
> *Internet
> *FW1 interfaces:
> ext 212.212.212.212/24 NAT enabled)
> optional 10.10.10.10/24 (DMZ)
> internal 10.10.20.10/24
> *DMZ 10.10.10.0/24
> *FW2 interfaces:
> ext 10.10.20.11/24 (No NAT)
> optional 10.10.10.11/24 (DMZ)
> int 10.10.20.11/24
> *LAN 10.10.20.0/24
OK, that's pretty badly broken. The internal/external addresses for FW2 are
identical, for a start, which is never good.
Try these two templates:
Classic "screened subnet"
NET
ROUTER (with packet filters)
FW1(out) 212.212.212.212 - DO NAT HERE
FW1(in) 10.10.10.254/24
DMZ - SERVERS GO IN HERE
FW2 (out) 10.10.10.1/24
FW2 (in) 10.10.20.254/24
LAN (Trusted net) 10.10.20.0/24
E-commerce hybrid
NET
ROUTER (with packet filters)
FW1(out) 212.212.212.212 - DO NAT HERE
FW1(in) 10.10.10.254/24
DMZ - PUBLIC SERVERS GO IN HERE
FW2 (out) 10.10.10.1/24
FW2 (middle) 10.10.20.254/24
SERVICE DMZ (10.10.20.0/24)- backend servers for public servers, may also be
accessed by trusted LAN.
FW2 (in) 10.10.30.254/24
LAN (Trusted net) 10.10.30.0/24
NET
[...]
> Q1: Is the DMZ secure or do we have to install 2 NIC's in all
> DMZ servers and
> create different Networks to connect to each FW?
Uh, I don't think your schema would work at all, so this is hard to answer.
> Q2:Or is it more secure to only connect FW1 to the DMZ and
> force all internal
> traffic towards the DMZ servers to use FW2 and then FW1 to
> connect. (too
> slow?)
Don't understand this question, sorry.
> Q3: Do we have to implement NAT in FW2 for security purposes
> and maybe use
> internet ipaddresses for both firewalls?
I'd NAT as shown, but if you're planning on doing VPN stuff then you might
want to move the NAT border onto the inside FW.
> Any resources and comments on this subject are welcome.
>
> Regards,
>
> Nico
Grab a copy of "Building Internet Firewalls" or something - it goes into
quite a lot of detail. I don't want to sound arrogant or anything, but I'd
also suggest that you get more comfortable with basic routing on
multi-interface devices as well.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
