RE: Maximum number of subnets on a firewall

[Paolo Supino <paolo () telmap com>]

Hi Mark 

   Indeed network connectivity from any subnet to any subnet is on a need
basis. Everything is block even it's not needed or there isn't anything
trying to create a connection from anywhere to anywhere. The management
segment is considered a weak link and to avoid exploiting it all devices on
that segment do not have a default gateway and the only acces to it is to
open a VPN connection to it. The VPN access is only possible from the
company's LANs and I think I will restrict it furrther. The IT department is
shared and thus makes life easier ( The other weak segment is the inet dmz.
Only existing servers are open, Maintanance is only possible when opening a
VPN connection to to the segment.




        Paolo 






-----Original Message-----
From: Mark Tinberg [mailto:mtinberg () securepipe com] 
Sent: Tuesday, February 17, 2004 19:10 PM
To: Paolo Supino
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Maximum number of subnets on a firewall


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 12 Feb 2004, Paolo Supino wrote:

>   A couple of weeks ago I sent an email about a possible firewall 
> layout for 3 companies. After reading the answers and doing some 
> drawings in visio (if anyone has has a better tool, please le me know) 
> I setup the firewall in the following way

Let me know if this is incorrect

                         |- Company A
                         |- Company B
                         |- Company C
  -- Router  -- Firewall |- DMZ
                         |- DMZ A
                         |- DMZ B
                         |- DMZ C
                         |- WiFi
                         |- Management

Looks like you did pretty well within the constraints you were given.  Now
that you've segmented the network into seperate parts you need to worry
about the security policy for each segment and how it relates to each other
segment.  For the most part there should not be any relationship, Company A
doesn't talk to Company B, the DMZs don't have any traffic allowed to any
other segment (including outbound) and no segment has unrestricted traffic
to any other segment (this includes inside -> dmz or inside -> outside ).

Default deny all ruleset, add things in as you come across them.

The management network, depending on how much stuff its connected to, could
be a weak link.  If the equipment in the dmzs, and each companies internal
networks is dual-homed to the management subnet, then you've given up many
of the security benefits as malicious traffic won't have to traverse the
firewall to get where it's going.  As someone else said, it's like putting a
post up in a field and hoping your attacker runs into it. This might be good
enough for virus or worm traffic, but even some wet-nosed kid can probably
figure out that the machines are dual-homed and have their way with them.

Anyway, after you've figured this all out, and how you're going to handle
logs from the firewall then you can start worrying about building up IDS
units for these segments so you can monitor the traffic that you are
allowing. 8^)  The fun never ends!

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFAMkrvFu7F5OUjbGcRAq5vAKDBp77ue1Q8lKZ3r8RJOLch4gitUQCgrRkA
wQtQfzmULDgKlS4/aZTfIvo=
=y/vZ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards