RE: firewall-wizards digest, Vol 1 #679 - 2 msgs

["Larry Wilson" <lwilson () theoffice net>]

The options mentioned so far are quite valid dependent of functionality of
the firewalls and a firewall that can be managed with central policies would
accomplish this readily. However, there is also another option that can be
considered. This is using a single DMZ (simple firewall) for the servers
with a centrally managed, policy driven crypto VPN solution that is a host
to host VPN engine. This would allow a set of rules to be set up to
determine what can talk to what, based on IP, subnet or range and is easily
reconfigurable. Therefore, if there is a VPN rule that defines host A can
talk to host B & C, then that is all that *can* happen. Not even a ping will
work from anywhere else. There is also a good audit capability as well, if
needed.

OK! Your probably wondering what I am going on about. I have used a solution
that is fairly unique called NetLock (www.netlock.com/products/index.html).
Have a read there that will explain better than I probably can.

BTW I have no relationship with Netlock Technologies, only have used the
solution.

Hope this information is of use to you.

Larry Wilson


 |From: "Ian Webb" <webbi () sapc edu>
 |To: <firewall-wizards () honor icsalabs com>
 |Subject: RE: [fw-wiz] separating the servers on a switch
 |Date: Sat, 14 Sep 2002 13:34:05 -0400
 |
 |You could also use a firewall that lets you set policies between VLANs
 |on the same interface. I know Netscreens can do that, not sure about
 |other firewalls.
 |
 |-----Original Message-----
 |From: firewall-wizards-admin () honor icsalabs com
 |[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of m p
 |Sent: Thursday, September 12, 2002 2:43 PM
 |To: Shimon Silberschlag
 |Cc: firewall-wizards () honor icsalabs com
 |Subject: Re: [fw-wiz] separating the servers on a switch
 |
 |[ Sorry, i hit send too fast. I'm resending it full :)]
 |
 | --- Shimon Silberschlag <shimons () bll co il> schrieb: > The servers need
 |to
 |talk with the uplink (internet) servers, the
 |> downlink (backend) servers. This is trivially done with the firewalls.
 |> What we want to do is control which servers on the segment talk among
 |> themselves.
 |>=20
 |> Shimon Silberschlag
 |
 |The only way to solve the problem I can think of is to install more
 |firewalls /
 |paketfilters and give each server a seperate interface on that firewall.
 |It
 |would look like this ( in good old ASCII art):
 |
 |
 |            Internet
 |                |
 |                |
 |    screening router / Firewall (already in place)
 |                |
 |                |
 |Public DMZ   Firewall - Server 1
 |                | | |__ Server 2
 |                | |____ Server 3=20
 |                |
 |                |
 |    screening router / Firewall (already in place)
 |                |
 |                |
 |Private DMZ  Firewall - Server 1
 |                  | |__ Server 2
 |                  |____ Server 3=20
 |            =20
 |
 |VLANs are not secure. You may circumvent them. Even if you define VLANs
 |- how
 |do you control the traffic in them?
 |
 |The smoothest way to do that is from my point of view to install *BSD
 |(or if
 |you are more familiar the word with L.... ;), put them into bridging
 |mode and
 |install a kind of paket filter (perhaps with a self-train phase) upon
 |them. Put
 |a managment link with an IP into them. Voila.
 |Your mileage may vary.
 |
 |The plus is that you don't have to go into subnetting your IP range into
 |smaller pieces, put load down from the main firewalls, if you don't
 |change the
 |TTL or other headers there is virtually no way to detect them.
 |The downside is that you add a layer of comlexity and single point of
 |failure.
 |
 |Just my 2 cent.
 |
 |Marc
 |
 |
 |> ----- Original Message -----
 |> From: "m p" <sumirati () yahoo de>
 |> To: "Shimon Silberschlag" <shimons () bll co il>
 |> Sent: Thursday, September 12, 2002 15:56
 |> Subject: Re: [fw-wiz] separating the servers on a switch
 |>=20
 |>=20
 |> > Hi Shimon,
 |> >
 |> > please decompress your question && resend it.
 |> >
 |> > thanks
 |> >
 |> > marc
 |> >
 |> > ps: look for the comment.
 |> >
 |> >  --- Shimon Silberschlag <shimons () bll co il> schrieb: > Lets say we
 |> have an
 |> > internet segment, protected by firewalls at both
 |> > > ends. On that segment are various servers.
 |> > > The servers need to talk to other servers outside the segment;
 |> uplink
 |> > > its the internet, downlink the backend servers.
 |> > > Some of the servers need to be able to talk among them.
 |> >
 |> > ^-- from here on it is not clear which servers are which servers are
 |> on which
 |> > link they are.
 |> >
 |> > > We want to control which server can talk to which other server (in
 |> the
 |> > > segment), utilizing one of the firewalls (lets say the uplink
 |> one).
 |> > > Can the group suggest ways to accomplish that? We thought about
 |> using
 |> > > L2 switches with "private VLAN", L3 switches with ACL, but
 |> constantly
 |> > > come across problems doing the routing properly.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards