RE: Classes of firewalls (based on IP utilization)

["Loomis, Rip" <GILBERT.R.LOOMIS () saic com>]

We've been in similar situations with our
lab network here.

I would concur with the recommendation below,
to use a bridging firewall (or firewalling
bridge).  Best example in the commercial
category is the Lucent Managed Firewall
"brick" - 3 or 4 Fast Ethernet Interfaces,
fancy Java GUI and server process, neato-whizbang
features.  It's still essentially a stateful
packet filter, though, and costs fairly
serious money...so you can also just
throw two NICs into a current OpenBSD box
and set up IPFilter.  If you try the latter (or
the former) and you have problems with the
config, send me what you've got and
I might be able to diagnose.  (There are
other bridging firewall solutions out there,
I'm sure, but the two above are what I
have personally used.  I'd love to know
of more, though...)

Alternatively, you could subnet the class C,
and have (for example) a /28 for the "DMZ"
(inside router to external of firewall),
and then a mish-mosh of small subnets for
the rest of the interior.  You've said that
you don't want to do that, and it would
be ugly and painful, so I include it only
for completeness.

The other alternative I've seen is to
put NAT-capable proxy firewalls behind
that packet-filtering router, and not
put any critical systems on the actual
Class C.  We're using both this and
OpenBSD boxen to allow us to shift our
network architecture around quickly when
we change what products/projects are
active in our lab.  Again, you said
you only want to work with "real" IPs,
and I would agree with that goal...but
since you didn't provide a rationale,
I would suggest that you might re-consider.

YMMV, HTH, and good luck.

Rip Loomis              Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com



> -----Original Message-----
> From: Todd Barlow [mailto:todd () lightspeedsystems com]
> Sent: Monday, February 26, 2001 3:25 PM
> To: 'list tracker'; firewall-wizards () nfr com
> Subject: RE: [fw-wiz] Classes of firewalls (based on IP utilization)
>
>
> I would suggest a Firewall that will allow for "bridging" 
> between two (or
> more) Interfaces.
> In this mode, both Interfaces can be on the same subnet (but different
> network segments) and don't route traffic, only "bridge" it 
> (layer-2) across
> segments.
>
> There may be other solutions, but this sounds easiest.
>
> Todd Barlow
> Lightspeed Systems, Inc.
> ph: 661.324.4291
> http://www.lightspeedsystems.com
>
>
> -----Original Message-----
> From: list tracker [mailto:list_tracker () hotmail com]
> Sent: Sunday, February 25, 2001 02:43 AM
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Classes of firewalls (based on IP utilization)
>
>
>
> So far, I have created the following types of firewalls:
>
> 1. One subnet (or even one IP) on the external interface, and 
> another subnet
>
> of fake IPs on the internal, using NAT one <--> many.
>
> 2. One subnet of real IPs on the external, and one subnet of 
> real IPs on the
>
> internal, with a next-hop route from the external subnet to 
> the internal 
> (said next hop route is set up on the router the firewall 
> connects outwards 
> to)
>
> I am wondering what can be done if I want to use ONLY real 
> IPs, but I also 
> only want to use ONE subnet.  If I have a /24, with no 
> subnets, and the 
> router is .1, and the FW external is .2, and the FW internal 
> is .3 and 
> workstations are .4 - .254 ... is there a way to work this ?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards