From: "Minh Van Le" <[EMAIL PROTECTED]> > This the topology I have in mind for my network. (Maybe minus Firewall 3 and > Firwall 4). Is there something wrong with it ? >
Should I design efficient and optimum security I start by defining what I want to achieve with my security. I may do this with a check-list. My sample check-list looks like as follows: 1. My 'LAN': 1.1.Do I want all my LAN users to accesss out into the Internet ? 1.2 Do I want only some LAN users to access out into the Internet ? 1.3 Do I want none of LAN users to access out into the Internet ? 1.4 Do I want all of the Internet users to access your LAN ? 1.5 Do I want only some of the Internet users to access your LAN ? 1.6 Do I want none of the Internet users to access your LAN ? 2. My 'MAIL' ...... 3. My 'FTP' ..... 4. My 'WWW' ..... Of course, my check-list may be expanded to cope with various exceptions and all sorts of special cases. The simplicity of the design depends on what I want to achieve. In its simplest form, I probably want all my users to access all of the Internet Services outside my network, but no one from outside to access my Services(mail, ftp, www) and my network. In this case, I will have only one 'Firewall' between my network and the Internet. The other extreme side is allow all my users to access all of the Internet and allow all of the Internet users to access all of my network. This one is extremely difficult and there is no simple solution. Then, there is this in-between depending on the check-list that I mentioned. The resulting topology will vary and there is no single best topology but there is an optimum topology. To evaluate what is optimum is to have a reporting system with my 'Firewall', like, number of accesses, what services were accessed, what domains were accessed, where from the access were made, date and time of access, file sizes of ftps, etc. This means my Firewall must have software to record these activities. I would used FWTK firewall toolkit if I wish to assemble my own and because it is available at no cost from the internet. It is somewhat a challenge to assemble this toolkit. Perhaps I may write or rewrite a bit of the modules here and there to suit my purpose. It is written in c-language. As usual there are a number of contributions to this toolkit. Of course there are several commercial firewall software in the market if I do not wish to go through the hassle myself. > +-----------------+ > | I N T E R N E T | > +-----------------+ > | > +--------------------------+ > | ADSL Router / Firewall 1 | > +--------------------------+ > | > +--------------------------+ > | Firewall 2 | > +--------------------------+ > | | > +-------+ +--------+ > | | > +------------+ +------------+ > | Firewall 3 | | Firewall 4 | > +------------+ +------------+ > | | > --------------- --------------- > / Eth Switch 1 / / Eth Switch 2 / > --------------- --------------- > | | | | > | | | +-----------------------+ > | | +---------------------------+ | > | +-----------+ | | > | | | | > +------------+ +------------+ +--------------+ +-----+ > | FTP Server | | WEB Server | | Email Server | | LAN | > +------------+ +------------+ +--------------+ +-----+ > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
