Firewall Wizards mailing list archives

Re: Maximum number of subnets on a firewall

From: Mark Tinberg <mtinberg () securepipe com>
Date: Tue, 17 Feb 2004 11:10:05 -0600 (CST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 12 Feb 2004, Paolo Supino wrote:

  A couple of weeks ago I sent an email about a possible firewall layout for
3 companies. After reading the answers and doing some drawings in visio (if
anyone has has a better tool, please le me know) I setup the firewall in the
following way


Let me know if this is incorrect

                         |- Company A
                         |- Company B
                         |- Company C
  -- Router  -- Firewall |- DMZ
                         |- DMZ A
                         |- DMZ B
                         |- DMZ C
                         |- WiFi
                         |- Management

Looks like you did pretty well within the constraints you were given.  Now
that you've segmented the network into seperate parts you need to worry
about the security policy for each segment and how it relates to each
other segment.  For the most part there should not be any relationship,
Company A doesn't talk to Company B, the DMZs don't have any traffic
allowed to any other segment (including outbound) and no segment has
unrestricted traffic to any other segment (this includes inside -> dmz or
inside -> outside ).

Default deny all ruleset, add things in as you come across them.

The management network, depending on how much stuff its connected to,
could be a weak link.  If the equipment in the dmzs, and each companies
internal networks is dual-homed to the management subnet, then you've
given up many of the security benefits as malicious traffic won't have to
traverse the firewall to get where it's going.  As someone else said, it's
like putting a post up in a field and hoping your attacker runs into it.
This might be good enough for virus or worm traffic, but even some
wet-nosed kid can probably figure out that the machines are dual-homed and
have their way with them.

Anyway, after you've figured this all out, and how you're going to handle
logs from the firewall then you can start worrying about building up IDS
units for these segments so you can monitor the traffic that you are
allowing. 8^)  The fun never ends!

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFAMkrvFu7F5OUjbGcRAq5vAKDBp77ue1Q8lKZ3r8RJOLch4gitUQCgrRkA
wQtQfzmULDgKlS4/aZTfIvo=
=y/vZ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Maximum number of subnets on a firewall Mikael Olsson (Jan 31)
- <Possible follow-ups>
- Re: Maximum number of subnets on a firewall Holger Kipp (Jan 31)
- RE: Maximum number of subnets on a firewall Bill James (Jan 31)
- Maximum number of subnets on a firewall Paolo Supino (Feb 16)
  - Re: Maximum number of subnets on a firewall Mark Tinberg (Feb 20)
- RE: Maximum number of subnets on a firewall Paolo Supino (Feb 21)