I've been looking over the LEAF distros for a candidate to build a set
of border firewall/routers. They are to replace existing devices built
with PC hardware and commercial DOS-based firewall software.
I have several questions. Here are a few to start:
1. Given the details below, which distro would be most appropriate?
2. Given the firewall/routing requirements, which dynamic routing
protocols would be recommended.
3. Suggestions on configuring IPSEC VPNs over the untrusted networks?
I have given an outline of the project below. This is a fictitious
network, but representative of the real project. Details of
infrastructure have been obfuscated, but the outline describes project
parameters.
Please let me know if I've left out anything.
Thanks!
--Cal Webster
There are 4 devices, one in each building at our site. Two of the new
firewalls will run on the older hardware, while the other two will run
on recently purchased hardware stored in DiskOnChip. Eventually, I want
to replace all older platforms with newer machines and run them from
DiskOnChip or straight Flash memory. I have some 40 GB hard drives
installed in the new machines on which I plan to build the custom
kernels and setup the services for testing.
Old Hardware Platform:
Generic Desktop Chassis
AMD K6-2 336 MHz CPU
1MB cache
128 MB RAM
2 GB HDD
1.44 FDD
4 3c905 NICs
New Hardware Platform:
Cyber Research 2U rack-mount passive backplane chassis
CPTD CEL/COP-850 All-In-One Single Board Computer
PIII 850 MHz
100 MHz front side bus
Intel 82558 10/100-TX (integrated)
768 MB RAM
256 MB DiskOnChip
1.44 FDD
USB
4 3C905-TX NIC's
I began building one new machine with RedHat Linux 8 but had to put the
project on hold after finally getting the drivers to work with
DiskOnChip.
Here is a summary of the functionality required:
Firewall:
stateful packet inspection
NAT/PAT
IPSEC Auth
IPSEC VPN tunneling
Router:
BGP
RIP
Logging to external syslog server
https/ssh configuration/management tool
Port Knocking to trigger remote vpn/ssh access
Optional user authentication to access Internet
Block outbound traffic by IP,subnet,user,port
Block all inbound traffic from untrusted networks except that which is
initiated from inside
Allow all traffic between trusted networks.
Fastest available link should be chosen when redundant paths exist.
Here is a sketch of the network:
DSL = 500 Kbps ADSL Link
RF1 = 100 Mbps RF Wireless direct point-to-point link
RF2 = 1.5 Mbps RF Wireless direct point-to-point link
ISP = 2 Mbps Cable ISP
PLANn = Fast Ethernet Private LANs within buildings at site.
[PLAN2] [PLAN2] [Remote User]
| | |
[PLAN1] | [PLAN1] | |
| | | | [Internet]
| | | | |
Building A Building B |
[Firewall 1]<-------------[RF1]------------->[Firewall 2]<--->[ISP]
^ \ / ^
\ \ / /
\ [DSL] [DSL] /
\ \ / /
\ \ [Internet] / /
\ \ | / /
\ \ | / /
\ \ | / /
\ \ | / /
[RF1] \ | / [RF1]
\ [Corp Network] /
\ ^ /
\ | /
\ | /
\ [DSL] /
\ | /
\ | /
\ | /
Building C
[Firewall 3]---[PLAN1]
^ \
| \--[PLAN2]
|
[RF2]
|
|
Building D
[Firewall 4]
| |
| |
[PLAN1] |
|
[PLAN2]
Notes:
1. There are 2 Internet connections, a wideband cable ISP connection
(bldg B) and a slower, more problematic DSL connection (bldgs A,B, and
C) through the corporate intranet.
2. All RF links use VPN tunneling directly to private LANs.
3. The 3rd high-speed RF link is redundant (not yet installed)
4. DSL links function as backup VPN tunnels between building PLANs.
5. All PLANs must have routes to all other PLANs
6. Only PLANs and VPNs are trusted networks - all others are "external",
untrusted connections.
7. No external ports are open on any firewalls - only VPN tunnels.
8. No routes will be advertised on external ports.
9. All PLANS must have routes to Internet (bldg B)
Port Configurations:
Firewall 1
[PLAN1] Static, non-routable IP Addr - Local Private Network
[PLAN2] Static, non-routable IP Addr - Local Private Network
[DSL ] Static non-routable IP Addr - Link to Corp intranet, through to
Internet
[RF1 ] Static non-routable IP Addr - VPN links to Bldgs B and C
Firewall 2
[PLAN1] Static, non-routable IP Addr - Local Private Network
[PLAN2] Static, non-routable IP Addr - Local Private Network
[ISP ] Static, publicly routable IP Addr. - Internet Link
[DSL ] Static non-routable IP Addr - Link to Corp intranet, through to
Internet
[RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and C
Firewall 3
[PLAN1] Static, non-routable IP Addr - Local Private Network
[PLAN2] Static, non-routable IP Addr - Local Private Network
[DSL ] Static non-routable IP Addr - Link to Corp intranet, through to
Internet
[RF1 ] Static non-routable IP Addr - VPN links to Bldgs A and B
Firewall 4
[PLAN1] Static, non-routable IP Addr - Local Private Network
[PLAN2] Static, non-routable IP Addr - Local Private Network
[RF2 ] Static non-routable IP Addr - VPN link to Bldg C
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
