Firewall Wizards mailing list archives
RE: Maximum number of subnets on a firewall
From: Paolo Supino <paolo () telmap com>
Date: Fri, 20 Feb 2004 15:27:21 +0200
Hi Mark Indeed network connectivity from any subnet to any subnet is on a need basis. Everything is block even it's not needed or there isn't anything trying to create a connection from anywhere to anywhere. The management segment is considered a weak link and to avoid exploiting it all devices on that segment do not have a default gateway and the only acces to it is to open a VPN connection to it. The VPN access is only possible from the company's LANs and I think I will restrict it furrther. The IT department is shared and thus makes life easier ( The other weak segment is the inet dmz. Only existing servers are open, Maintanance is only possible when opening a VPN connection to to the segment. Paolo -----Original Message----- From: Mark Tinberg [mailto:mtinberg () securepipe com] Sent: Tuesday, February 17, 2004 19:10 PM To: Paolo Supino Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Maximum number of subnets on a firewall -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 12 Feb 2004, Paolo Supino wrote:
A couple of weeks ago I sent an email about a possible firewall layout for 3 companies. After reading the answers and doing some drawings in visio (if anyone has has a better tool, please le me know) I setup the firewall in the following way
Let me know if this is incorrect |- Company A |- Company B |- Company C -- Router -- Firewall |- DMZ |- DMZ A |- DMZ B |- DMZ C |- WiFi |- Management Looks like you did pretty well within the constraints you were given. Now that you've segmented the network into seperate parts you need to worry about the security policy for each segment and how it relates to each other segment. For the most part there should not be any relationship, Company A doesn't talk to Company B, the DMZs don't have any traffic allowed to any other segment (including outbound) and no segment has unrestricted traffic to any other segment (this includes inside -> dmz or inside -> outside ). Default deny all ruleset, add things in as you come across them. The management network, depending on how much stuff its connected to, could be a weak link. If the equipment in the dmzs, and each companies internal networks is dual-homed to the management subnet, then you've given up many of the security benefits as malicious traffic won't have to traverse the firewall to get where it's going. As someone else said, it's like putting a post up in a field and hoping your attacker runs into it. This might be good enough for virus or worm traffic, but even some wet-nosed kid can probably figure out that the machines are dual-homed and have their way with them. Anyway, after you've figured this all out, and how you're going to handle logs from the firewall then you can start worrying about building up IDS units for these segments so you can monitor the traffic that you are allowing. 8^) The fun never ends! - -- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer, SecurePipe Inc. New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFAMkrvFu7F5OUjbGcRAq5vAKDBp77ue1Q8lKZ3r8RJOLch4gitUQCgrRkA wQtQfzmULDgKlS4/aZTfIvo= =y/vZ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Maximum number of subnets on a firewall Mikael Olsson (Jan 31)
- <Possible follow-ups>
- Re: Maximum number of subnets on a firewall Holger Kipp (Jan 31)
- RE: Maximum number of subnets on a firewall Bill James (Jan 31)
- Maximum number of subnets on a firewall Paolo Supino (Feb 16)
- Re: Maximum number of subnets on a firewall Mark Tinberg (Feb 20)
- RE: Maximum number of subnets on a firewall Paolo Supino (Feb 21)