Martyn Hill wrote:
Martyn Hill wrote:
Do I use ifconfig to alias the one internal NIC in the present gateway
to create virtual sub-nets?
Bill Moran wrote:
That would be the method I would suggest, however without more details of
your network it's kind of hard to be sure it's the best method. What you
could do is:
ADSL router
|
FreeBSD BOX
|
switch
/ | \
/ | \
/|\
hub1 hub2 hub3
/ | \
subnet1 subnet2 subnet3
The switch will keep traffic from subnet1 off subnet2 & subnet3 (and vise
versa) The freeBSD box has 2 nics, one to the ADSL, the other to the switch.
The NIC to the switch has an IP for each subnet and IPFW rules for each IP.
If the IPFW rules are identical for each subnet, you'll be able to
consolidate them a good bit.
Thank you very much for your ideas and time, Bill.
You mention the use of hub1, 2 etc. Can I assume that some small switches
(we use a few netgear 5 and 8 port switches around the building already)
would do the job, given that the other departments amount to a handful of
workstations each?
Sure. Using hubs is (dare I say it) the canonical way. But with switch
prices as cheap as they are, there really isn't any reason to not use
switches.
Which one is really best depends a lot on details that you haven't
yet provided. Like, what traffic _exactly_ do you want to prevent from
crossing subnets? SMB browse announcements won't cross subnets, for example
(they'll get stopped at the switch) but cross-network browsing is still
possible by IP address (or if you use WINS). What this means (from a Windows
perspective) is that Windows machines on subnet1 won't see Windows machines
on subnet2 in their network neighborhood, but they will be able to access
them if the user knows the IP address of the machine he wants to connect
to. So it depends on whether you want to offer _real_ security or just
obscurity. (this is dependent on using the method I diagramed above, other
methods offer different levels of security/obscurity)
We do use WINS (via Samba-TNG) for our own curriculum/admin network, but the
other departments are supposed to contain themselves to their own
workgroups.
The WINS configuration will determine who can see what then. You can set up
WINS servers that don't know anything about one another, and they will not
cross-propogate browse lists. Or you can coordinate so they all see all
computers, it's pretty much up to you.
Obscurity would provide sufficient protection for (from?) most, if not all,
of our user base - I'm not aware of any potential hackers amoungst the
school population, (if I found one, I'll be proud, as I'm the one who
teaches the pupils IT!)
I like that: "Protection from user base" I'll start saying that and see if
people pick up on it!
My concerns over security are three fold:
Access to SMB fileshares and printers (especially from some newly introduced
Windows XP clients, which seem intent on discovering everything on the
network and adding it to their own browse lists...)
Sure, they're trying to automagically do everything for you.
You should be able to use WINS/DNS to control what they do and don't see.
Keep in mind that WinXP is migrating away from WINS to DNS, so you may have
to build your own DNS servers and configure them carefully to keep things
sane. So far, however, I've still been able to control things with WINS.
The ability of a virus outbreak to spread rampantly throughout the whole
site.
Well, I doubt such a configuration will give you too much power to stop that,
but at least they won't be able to arbitrarily connect to shares on another
subnet to propogate.
The limiting of adverse network 'noise' from one department affecting the
bandwidth for others, (not really a security issue.)
The switch will handle most of that issue. and if you wire things up all
with switches, it will handle it even better.
I appreciate the vaugeness of the information, I guess I'm not sure what
traffic I _should_ be filtering out. Any ideas?
It seems to be different for every network. Broadcast traffic is one of
the most annoying, and a good switch won't pass it from one subnet to
another (and the better ones are configurable as to whether they pass it
or not) Before you trust in that statement, however, verify the behaviour
of the specific switch that you're using.
If you choose the solution where you put a different NIC in the FreeBSD
box for each subnet, you'll definately be blocking broadcast traffic, and
you'll have the option to configure IPFW to block anything else you want.
The downfall is: depending on how many subnets you have, PC hardware isn't
really designed to have a lot of NICs plugged in, performance may suffer.
If you want to have everything controlled through FreeBSD, you may want
to have more than one firewall box. At least your ADSL router ha
