Security Basics mailing list archives
Re: firewall on the same segment
From: "Dana Epp" <dana () vulscan com>
Date: Wed, 10 Sep 2003 11:03:47 -0700
Hey Fernando, I am not sure if I understand your question correctly or not, but I will give it a try. Your firewall sounds like it is configured with NAT or at a minimum NAPT (MASQ). Because of this, your firewall at 192.168.100.1 translates the internal 192.168.100 class C into a single external (real world) IP address for the Internet. As such, it is easy to firewall external data because it is routed THROUGH the firewall. When you are accessing resources from behind the firewall, you don't go through it for local traffic and as such, it will do nothing to filter the packets. If you want to filter the internal packets you will need to make some network modifications or at a minimum, install a host based firewall on the machines you wish to protect. (Which is a good idea anyways via a defense in depth posture) A few different scenerios/suggestions would be to: 1) Install a host based firewall on the server at 192.168.100.3 (Should do this anyways) 2) Move the server to a secondary subnet (DMZ) hung off the firewall on a 3rd nic, and then do creative routing to force the network through the firewall 3) Install a transparent bridging firewall. This is basically an invisible firewall between the physical circuit and can then be treated like a normal (but hidden) firewall. Number 1 would be the easiest and far less intruisive to the network configuration. Once you understand what services that machine needs to provide, and to whom, you can blanket the server with a set of policies to provide least privilege by only allowing access to those services by those who NEED it, and then block everything else. Of course, you could go the other way and block the individual IPs, but don't forget that the potential threat/attacker could simply change their IP and bypass your rules. (If you otherwise left the policy open) If I have misread your email and this is not how your topology is set up, drop the list an email clarifying how your firewall is configured in the network path. Good luck. --- Regards, Dana M. Epp ----- Original Message ----- From: "Fernando Serto" <fernando.serto () memetrics com> To: <security-basics () securityfocus com> Sent: Tuesday, September 09, 2003 11:08 PM Subject: firewall on the same segment
hi, I always installed firewalls to prevent access from internet to the
internal
network, or from one network to another, but I was asked to install a firewall ON the LAN, to deny access to a few boxes. for example, the
network
address is 192.168.100.0/24, firewall's ip is 192.168.100.1 and I need to block access to a specific server which ip is 192.168.100.3. I have to
allow
access only to a few users to this server. Is it possible to deploy using iptables? On this company, they're using fwbuilder to administer the firewall, I tried to block access from 192.168.100.4 to 192.168.100.3, but
I
couldn't... I can only deny access to the ips configured in the firewall. Thanks in advance. Cheers, Fernando --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.506 / Virus Database: 303 - Release Date: 1/08/2003 --------------------------------------------------------------------------
-
Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- firewall on the same segment Fernando Serto (Sep 10)
- Re: firewall on the same segment irado furioso com tudo (Sep 10)
- Re: firewall on the same segment Sebastian Schneider (Sep 10)
- Re: firewall on the same segment Dana Epp (Sep 10)
- Re: firewall on the same segment Preston Newton (Sep 10)
- Re: firewall on the same segment Ansgar Wiechers (Sep 10)
- RE: firewall on the same segment David Gillett (Sep 10)
- Re: firewall on the same segment Gabriel Orozco (Sep 10)
- <Possible follow-ups>
- RE: firewall on the same segment LordInfidel (Sep 10)