Re: separating the servers on a switch

[m p <sumirati () yahoo de>]

[ Sorry, i hit send too fast. I'm resending it full :)]

 --- Shimon Silberschlag <shimons () bll co il> schrieb: > The servers need to
talk with the uplink (internet) servers, the
> downlink (backend) servers. This is trivially done with the firewalls.
> What we want to do is control which servers on the segment talk among
> themselves.
>
> Shimon Silberschlag

The only way to solve the problem I can think of is to install more firewalls /
paketfilters and give each server a seperate interface on that firewall. It
would look like this ( in good old ASCII art):


            Internet
                |
                |
    screening router / Firewall (already in place)
                |
                |
Public DMZ   Firewall - Server 1
                | | |__ Server 2
                | |____ Server 3 
                |
                |
    screening router / Firewall (already in place)
                |
                |
Private DMZ  Firewall - Server 1
                  | |__ Server 2
                  |____ Server 3 
             

VLANs are not secure. You may circumvent them. Even if you define VLANs - how
do you control the traffic in them?

The smoothest way to do that is from my point of view to install *BSD (or if
you are more familiar the word with L.... ;), put them into bridging mode and
install a kind of paket filter (perhaps with a self-train phase) upon them. Put
a managment link with an IP into them. Voila.
Your mileage may vary.

The plus is that you don't have to go into subnetting your IP range into
smaller pieces, put load down from the main firewalls, if you don't change the
TTL or other headers there is virtually no way to detect them.
The downside is that you add a layer of comlexity and single point of failure.

Just my 2 cent.

Marc


> ----- Original Message -----
> From: "m p" <sumirati () yahoo de>
> To: "Shimon Silberschlag" <shimons () bll co il>
> Sent: Thursday, September 12, 2002 15:56
> Subject: Re: [fw-wiz] separating the servers on a switch
>
>
> > Hi Shimon,
> >
> > please decompress your question && resend it.
> >
> > thanks
> >
> > marc
> >
> > ps: look for the comment.
> >
> >  --- Shimon Silberschlag <shimons () bll co il> schrieb: > Lets say we
> have an
> > internet segment, protected by firewalls at both
> > > ends. On that segment are various servers.
> > > The servers need to talk to other servers outside the segment;
> uplink
> > > its the internet, downlink the backend servers.
> > > Some of the servers need to be able to talk among them.
> >
> > ^-- from here on it is not clear which servers are which servers are
> on which
> > link they are.
> >
> > > We want to control which server can talk to which other server (in
> the
> > > segment), utilizing one of the firewalls (lets say the uplink
> one).
> > > Can the group suggest ways to accomplish that? We thought about
> using
> > > L2 switches with "private VLAN", L3 switches with ACL, but
> constantly
> > > come across problems doing the routing properly.


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards