donnatronious
asked on
True DMZ configuration
Goal: Too set up a true dmz using a packet filtering boundary router and an actual firewall/VPN. This is not a service leg configuration.
Question: I am unsure about the config for the network configuration of the DMZ network. I have 4 public IP’s at my disposal. It is my understanding that in this configuration I will have a completely separate network as the DMZ. I know that I can have a private DMZ with mapped IPs for services or I can have a public DMZ. What I really need is diagrams showing the interface configurations of the boundary router and firewall. Or if someone could fill in the question marks below that might help. The boundary router is netopia r9100 and the firewall is netscreen 5gt.
Boundary Router
External Interface
IP: XX.95.87.82
Mask: 255.255.255.248
Gateway: XX.95.87.81
Internal Interface
IP: ?.?.?.?
Mask: 255.255.255.0
Firewall/VPN
External Interface
IP: ?.?.?.?
Mask:255.255.255.0
Gateway: ?.?.?.?
Internal Interface
IP: 192.168.1.1
Mask: 255.255.255.0
Question: I am unsure about the config for the network configuration of the DMZ network. I have 4 public IP’s at my disposal. It is my understanding that in this configuration I will have a completely separate network as the DMZ. I know that I can have a private DMZ with mapped IPs for services or I can have a public DMZ. What I really need is diagrams showing the interface configurations of the boundary router and firewall. Or if someone could fill in the question marks below that might help. The boundary router is netopia r9100 and the firewall is netscreen 5gt.
Boundary Router
External Interface
IP: XX.95.87.82
Mask: 255.255.255.248
Gateway: XX.95.87.81
Internal Interface
IP: ?.?.?.?
Mask: 255.255.255.0
Firewall/VPN
External Interface
IP: ?.?.?.?
Mask:255.255.255.0
Gateway: ?.?.?.?
Internal Interface
IP: 192.168.1.1
Mask: 255.255.255.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
MikeKane
Its like this,
Internet Cloud
ISP router managed by them: IP is 67.95.87.81 Mask 255.255.255.248 I have 82 through 86 for my use.
Netopia/Statefull Inspection Firewall:
Netscreen Application Firewall/VPN
Internal Private Network
1) NAT will be performed by the Netscreen. So I assume DMZ will be public. I can't have double NAT right?
2) I don't want a 3 pronged or so called "service leg" firewall. I want a true double firewall DMZ.
3) Services in the DMZ will be the VPN on the Netscreen and a possible bastion host webserver at a later date.
More questions.
1) Referring too the proposed configuration by ferg-o, I didn't think that a routers internal and external interface could be on the same network?
2) I guess the above configuration would leave me 2 IPs too put other services on in the network. .85 and .86.
3) Is it true that I could define 64 other subnets on the boundary router with 2 hosts each?
Its like this,
Internet Cloud
ISP router managed by them: IP is 67.95.87.81 Mask 255.255.255.248 I have 82 through 86 for my use.
Netopia/Statefull Inspection Firewall:
Netscreen Application Firewall/VPN
Internal Private Network
1) NAT will be performed by the Netscreen. So I assume DMZ will be public. I can't have double NAT right?
2) I don't want a 3 pronged or so called "service leg" firewall. I want a true double firewall DMZ.
3) Services in the DMZ will be the VPN on the Netscreen and a possible bastion host webserver at a later date.
More questions.
1) Referring too the proposed configuration by ferg-o, I didn't think that a routers internal and external interface could be on the same network?
2) I guess the above configuration would leave me 2 IPs too put other services on in the network. .85 and .86.
3) Is it true that I could define 64 other subnets on the boundary router with 2 hosts each?
ASKER
Both you guys are a lot of help. It looks like I will soon be splitting points.
BTW, Donnatronious, go and collect you r points from an open question I had for your. Check my open question status and you'll see your points.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
MikeKane
I don't understand why you are giving me points?
I don't understand why you are giving me points?
That was from like 8 months ago. It was an assist from an old question. And I felt that the author should have split points. Look at tthe date, it was back in June
Donnatronius - when I split the subnet from 255.255.255.248 to 255.255.255.252 I put the addresses into different subnets.
I have had to do this a lot in the past doing firewall installations and I can vouch that it works - with layer 7 firewalls sometimes clients like to use valid IPs on their DMZs as NAT doesn't necessarily enhance security.
I agree with MikeKane though that if it is not your router that is the route of last resort then best not to mess with it - do as he says and keep the addresses in your external net - you waste them by splitting the subnet - as such:
netmask: 255.255.255.248
network: xxx.95.87.80 (theoretically unusable...)
usable: xxx.95.87.81-86
broadcast: xxx.95.87.87 (unusable)
netmask: 255.255.255.252
network: xxx.95.87.80 (theoretically unusable...)
usable: xxx.95.87.81-82
broadcast: xxx.95.87.83 (unusable)
netmask: 255.255.255.252
network: xxx.95.87.84 (theoretically unusable...)
usable: xxx.95.87.85-86
broadcast: xxx.95.87.87 (unusable)
You lose two usable addresses, .83 & .84 in the split.
To answer your question 3 - yes you could if you had the whole 24 bit range and another router of your own that you control. The netscreen can also perform this function.
This is what ISPs tend to do here in Hong Kong - they give you one usable address with a 30 bit (255.255.255.252) mask - the other usable is taken up by their managed router and becomes the route of last resort. In order to do this they need to have their border routers and DSLAMs configured with network routes (or a routing protocol like RIP) so that traffic running through their networks knows where to be directed.
To be honest with you there are a thousand different ways to set up perimeter networks - it really depends on what you want to achieve. From the above information I think it is easier for you to go with MikeKane's recommendation. Should you decide down the track that you need more external addresses (for web servers etc - which *should* be on a service leg of the NS) then you can ask your ISP to widen your range and the reconfiguration of the netscreen involves only an alteration to the subnet mask.
Big answer first thing in the morning - hope this clears things up for you...
I have had to do this a lot in the past doing firewall installations and I can vouch that it works - with layer 7 firewalls sometimes clients like to use valid IPs on their DMZs as NAT doesn't necessarily enhance security.
I agree with MikeKane though that if it is not your router that is the route of last resort then best not to mess with it - do as he says and keep the addresses in your external net - you waste them by splitting the subnet - as such:
netmask: 255.255.255.248
network: xxx.95.87.80 (theoretically unusable...)
usable: xxx.95.87.81-86
broadcast: xxx.95.87.87 (unusable)
netmask: 255.255.255.252
network: xxx.95.87.80 (theoretically unusable...)
usable: xxx.95.87.81-82
broadcast: xxx.95.87.83 (unusable)
netmask: 255.255.255.252
network: xxx.95.87.84 (theoretically unusable...)
usable: xxx.95.87.85-86
broadcast: xxx.95.87.87 (unusable)
You lose two usable addresses, .83 & .84 in the split.
To answer your question 3 - yes you could if you had the whole 24 bit range and another router of your own that you control. The netscreen can also perform this function.
This is what ISPs tend to do here in Hong Kong - they give you one usable address with a 30 bit (255.255.255.252) mask - the other usable is taken up by their managed router and becomes the route of last resort. In order to do this they need to have their border routers and DSLAMs configured with network routes (or a routing protocol like RIP) so that traffic running through their networks knows where to be directed.
To be honest with you there are a thousand different ways to set up perimeter networks - it really depends on what you want to achieve. From the above information I think it is easier for you to go with MikeKane's recommendation. Should you decide down the track that you need more external addresses (for web servers etc - which *should* be on a service leg of the NS) then you can ask your ISP to widen your range and the reconfiguration of the netscreen involves only an alteration to the subnet mask.
Big answer first thing in the morning - hope this clears things up for you...
Have you done the first step of asking the ISP to cut the subnet into two for you? Not that you need them to tell you how to subnet but if you don't ask them to change the mask on their router and add a route to the other half of your subnet it ain't going to work.
ASKER
Is andyalder correct?
Is andyalder correct??>>Only if I guess your topology correctly.
If you split your netblock in half and don't tell the upstream router it will broadcast an arp discovery packet to find the IP address on the local network rather than relaying it on to the next hop router.
If you split your netblock in half and don't tell the upstream router it will broadcast an arp discovery packet to find the IP address on the local network rather than relaying it on to the next hop router.
Umm - not really mate. All the ISP needs is a route configured to the network. If it is a 29 bit mask and you split it into 2 30 bit ones IP packets to either network will still go to your perimeter router. What it does with it from there is entirely up to you...
Whether or not this can be classified as good Internet etiquette is another thing entirely.
>>ISP router managed by them: IP is 67.95.87.81 Mask 255.255.255.248
If you don't change the mask on *that* router how is it going to work? I'm guessing your topology is as below (paste to notepad to get monospaced font). If that is how you are trying to do it you have the ISP's router with /29 mask connected to your router with a /30 mask.
ISP----------ISP router on site----------nettopia---- --------ne tscreen--- --------in ternal hosts
???----------??----------- ----/29--- -------/30 ---/30---- -------/30 -----/24-- ---------/ 24
-------------------------- ---------- --net1---- ---------- --DMZ----- ---------- -----LAN-- ---------- ---------
If you don't change the mask on *that* router how is it going to work? I'm guessing your topology is as below (paste to notepad to get monospaced font). If that is how you are trying to do it you have the ISP's router with /29 mask connected to your router with a /30 mask.
ISP----------ISP router on site----------nettopia----
???----------??-----------
--------------------------
How did you get it to work in a routing configuration without getting the mask changed on the ISP maintained router on your network or the mask on your router and forwarding the rest on via inbound NAT?
A few questions,
1) Why does your router have public IP's for both internal and External? Is it managed by you or the ISP?
2) Does the netscreen allow you to create multiple interfaces like a 3 pronged firewall? I am not familiar with the netscreen product, but the theory is the same.
3) What services do you want in the DMZ?
If your ip's on the router can't change then the diagram from ferg-o is correct. Your firewall VPN can now redirect ports to internal servers.