Firewall Wizards mailing list archives
RE: firewall-wizards digest, Vol 1 #679 - 2 msgs
From: "Larry Wilson" <lwilson () theoffice net>
Date: Mon, 16 Sep 2002 15:04:26 +1000
The options mentioned so far are quite valid dependent of functionality of the firewalls and a firewall that can be managed with central policies would accomplish this readily. However, there is also another option that can be considered. This is using a single DMZ (simple firewall) for the servers with a centrally managed, policy driven crypto VPN solution that is a host to host VPN engine. This would allow a set of rules to be set up to determine what can talk to what, based on IP, subnet or range and is easily reconfigurable. Therefore, if there is a VPN rule that defines host A can talk to host B & C, then that is all that *can* happen. Not even a ping will work from anywhere else. There is also a good audit capability as well, if needed. OK! Your probably wondering what I am going on about. I have used a solution that is fairly unique called NetLock (www.netlock.com/products/index.html). Have a read there that will explain better than I probably can. BTW I have no relationship with Netlock Technologies, only have used the solution. Hope this information is of use to you. Larry Wilson |From: "Ian Webb" <webbi () sapc edu> |To: <firewall-wizards () honor icsalabs com> |Subject: RE: [fw-wiz] separating the servers on a switch |Date: Sat, 14 Sep 2002 13:34:05 -0400 | |You could also use a firewall that lets you set policies between VLANs |on the same interface. I know Netscreens can do that, not sure about |other firewalls. | |-----Original Message----- |From: firewall-wizards-admin () honor icsalabs com |[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of m p |Sent: Thursday, September 12, 2002 2:43 PM |To: Shimon Silberschlag |Cc: firewall-wizards () honor icsalabs com |Subject: Re: [fw-wiz] separating the servers on a switch | |[ Sorry, i hit send too fast. I'm resending it full :)] | | --- Shimon Silberschlag <shimons () bll co il> schrieb: > The servers need |to |talk with the uplink (internet) servers, the |> downlink (backend) servers. This is trivially done with the firewalls. |> What we want to do is control which servers on the segment talk among |> themselves. |>=20 |> Shimon Silberschlag | |The only way to solve the problem I can think of is to install more |firewalls / |paketfilters and give each server a seperate interface on that firewall. |It |would look like this ( in good old ASCII art): | | | Internet | | | | | screening router / Firewall (already in place) | | | | |Public DMZ Firewall - Server 1 | | | |__ Server 2 | | |____ Server 3=20 | | | | | screening router / Firewall (already in place) | | | | |Private DMZ Firewall - Server 1 | | |__ Server 2 | |____ Server 3=20 | =20 | |VLANs are not secure. You may circumvent them. Even if you define VLANs |- how |do you control the traffic in them? | |The smoothest way to do that is from my point of view to install *BSD |(or if |you are more familiar the word with L.... ;), put them into bridging |mode and |install a kind of paket filter (perhaps with a self-train phase) upon |them. Put |a managment link with an IP into them. Voila. |Your mileage may vary. | |The plus is that you don't have to go into subnetting your IP range into |smaller pieces, put load down from the main firewalls, if you don't |change the |TTL or other headers there is virtually no way to detect them. |The downside is that you add a layer of comlexity and single point of |failure. | |Just my 2 cent. | |Marc | | |> ----- Original Message ----- |> From: "m p" <sumirati () yahoo de> |> To: "Shimon Silberschlag" <shimons () bll co il> |> Sent: Thursday, September 12, 2002 15:56 |> Subject: Re: [fw-wiz] separating the servers on a switch |>=20 |>=20 |> > Hi Shimon, |> > |> > please decompress your question && resend it. |> > |> > thanks |> > |> > marc |> > |> > ps: look for the comment. |> > |> > --- Shimon Silberschlag <shimons () bll co il> schrieb: > Lets say we |> have an |> > internet segment, protected by firewalls at both |> > > ends. On that segment are various servers. |> > > The servers need to talk to other servers outside the segment; |> uplink |> > > its the internet, downlink the backend servers. |> > > Some of the servers need to be able to talk among them. |> > |> > ^-- from here on it is not clear which servers are which servers are |> on which |> > link they are. |> > |> > > We want to control which server can talk to which other server (in |> the |> > > segment), utilizing one of the firewalls (lets say the uplink |> one). |> > > Can the group suggest ways to accomplish that? We thought about |> using |> > > L2 switches with "private VLAN", L3 switches with ACL, but |> constantly |> > > come across problems doing the routing properly. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: firewall-wizards digest, Vol 1 #679 - 2 msgs Larry Wilson (Sep 16)
- Re: RE: firewall-wizards digest, Vol 1 #679 - 2 msgs Paul D. Robertson (Sep 16)