Re: firewall on the same segment

["Dana Epp" <dana () vulscan com>]

Hey Fernando,

I am not sure if I understand your question correctly or not, but I will
give it a try.

Your firewall sounds like it is configured with NAT or at a minimum NAPT
(MASQ). Because of this, your firewall at 192.168.100.1 translates the
internal 192.168.100 class C into a single external (real world) IP address
for the Internet. As such, it is easy to firewall external data because it
is routed THROUGH the firewall.

When you are accessing resources from behind the firewall, you don't go
through it for local traffic and as such, it will do nothing to filter the
packets.

If you want to filter the internal packets you will need to make some
network modifications or at a minimum, install a host based firewall on the
machines you wish to protect. (Which is a good idea anyways via a defense in
depth posture)

A few different scenerios/suggestions would be to:

1) Install a host based firewall on the server at 192.168.100.3 (Should do
this anyways)
2) Move the server to a secondary subnet (DMZ) hung off the firewall on a
3rd nic, and then do creative routing to force the network through the
firewall
3) Install a transparent bridging firewall. This is basically an invisible
firewall between the physical circuit and can then be treated like a normal
(but hidden) firewall.

Number 1 would be the easiest and far less intruisive to the network
configuration. Once you understand what services that machine needs to
provide, and to whom, you can blanket the server with a set of policies to
provide least privilege by only allowing access to those services by those
who NEED it, and then block everything else. Of course, you could go the
other way and block the individual IPs, but don't forget that the potential
threat/attacker could simply change their IP and bypass your rules. (If you
otherwise left the policy open)

If I have misread your email and this is not how your topology is set up,
drop the list an email clarifying how your firewall is configured in the
network path.

Good luck.

---
Regards,
Dana M. Epp


----- Original Message ----- 
From: "Fernando Serto" <fernando.serto () memetrics com>
To: <security-basics () securityfocus com>
Sent: Tuesday, September 09, 2003 11:08 PM
Subject: firewall on the same segment


> hi,
>
> I always installed firewalls to prevent access from internet to the
internal
> network, or from one network to another, but I was asked to install a
> firewall ON the LAN, to deny access to a few boxes. for example, the
network
> address is 192.168.100.0/24, firewall's ip is 192.168.100.1 and I need to
> block access to a specific server which ip is 192.168.100.3. I have to
allow
> access only to a few users to this server. Is it possible to deploy using
> iptables? On this company, they're using fwbuilder to administer the
> firewall, I tried to block access from 192.168.100.4 to 192.168.100.3, but
I
> couldn't... I can only deny access to the ips configured in the firewall.
>
> Thanks in advance.
>
> Cheers,
> Fernando
>
>
>
> ---
>
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.506 / Virus Database: 303 - Release Date: 1/08/2003
>
>
> --------------------------------------------------------------------------
-
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------