True DMZ configuration

Goal:  Too set up a true dmz using a packet filtering boundary router and an actual firewall/VPN.  This is not a service leg configuration.

Question:  I am unsure about the config for the network configuration of the DMZ network.  I have 4 public IP’s at my disposal.  It is my understanding that in this configuration I will have a completely separate network as the DMZ.  I know that I can have a private DMZ with mapped IPs for services or I can have a public DMZ.  What I really need is diagrams showing the interface configurations of the boundary router and firewall.  Or if someone could fill in the question marks below that might help.  The boundary router is netopia r9100 and the firewall is netscreen 5gt.

Boundary Router

External Interface
IP: XX.95.87.82
Mask: 255.255.255.248
Gateway:  XX.95.87.81
Internal Interface
IP: ?.?.?.?
Mask: 255.255.255.0

Firewall/VPN

External Interface
IP: ?.?.?.?
Mask:255.255.255.0
Gateway: ?.?.?.?
Internal Interface
IP: 192.168.1.1
Mask: 255.255.255.0
donnatroniousAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ferg-oCommented:

I can't post diagrams here but this will do the job you are after:

Router:
External Interface
IP: XX.95.87.82
Mask: 255.255.255.252
Gateway:  XX.95.87.81
Internal Interface
IP: XX.95.87.83
Mask: 255.255.255.252

Firewall/VPN
External Interface
IP: XX.95.87.84
Mask:255.255.255.252
Gateway: XX.95.87.83

Hope this helps - regards...




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKaneCommented:
DMZ can be setup a different ways depending upon what services you need to deliver.  

A few questions,

1) Why does your router have public IP's for both internal and External?   Is it managed by you or the ISP?  

2) Does the  netscreen allow you to create  multiple interfaces like a 3 pronged firewall? I am not familiar with the netscreen product, but the theory is the same.  

3)  What services do you want in the DMZ?  



If your ip's on the router can't change then the diagram from ferg-o is correct.   Your firewall VPN can now redirect ports to internal servers.      
0
donnatroniousAuthor Commented:
MikeKane

Its like this,

Internet Cloud
ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248 I have 82 through 86 for my use.
Netopia/Statefull Inspection Firewall:
Netscreen Application Firewall/VPN
Internal Private Network

1)  NAT will be performed by the Netscreen.  So I assume DMZ will be public.  I can't have double NAT right?
2)  I don't want a 3 pronged or so called "service leg" firewall.  I want a true double firewall DMZ.
3)  Services in the DMZ will be the VPN on the Netscreen and a possible bastion host webserver at a later date.

More questions.  
1)  Referring too the proposed configuration by ferg-o, I didn't think that a routers internal and external interface could be on the same network?
2)  I guess the above configuration would leave me 2 IPs too put other services on in the network. .85 and .86.
3)  Is it true that I could define 64 other subnets on the boundary router with 2 hosts each?
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

donnatroniousAuthor Commented:
Both you guys are a lot of help.  It looks like I will soon be splitting points.
0
MikeKaneCommented:
BTW, Donnatronious, go and collect you r points from an open question I had for your.   Check my open question status and you'll see your points.

0
MikeKaneCommented:
IF the router is managed by the ISP, then I wouldn't go asking them to mess with it, I find that with my local ISP's, they tend to cause more problems when I ask them to do anything.   But that's your call based on your relationship with them.  

It is odd that the router would use the same subnet on both segments unless you are subnetting.  

The usual setup is this

INTERNET CLOUD
|
Router
Internal .81
|
External .82
Firewall
Internal 192.168.1.1

The firewall could assign STATICs to internal services for specific IPs or port forwarding to spread 1 ip's services amoung multiple internal hosts.    

Keep .83 for PAT'ing so internal users can get out, that leave 84 85 and 86 for your use.  
0
donnatroniousAuthor Commented:
MikeKane

I don't understand why you are giving me points?
0
MikeKaneCommented:
That was from like 8 months ago.    It was an assist from an old question.  And I felt that the author should have split points.   Look at tthe date, it was back in June
0
ferg-oCommented:
Donnatronius - when I split the subnet from 255.255.255.248 to 255.255.255.252 I put the addresses into different subnets.

I have had to do this a lot in the past doing firewall installations and I can vouch that it works - with layer 7 firewalls sometimes clients like to use valid IPs on their DMZs as NAT doesn't necessarily enhance security.

I agree with MikeKane though that if it is not your router that is the route of last resort then best not to mess with it - do as he says and keep the addresses in your external net - you waste them by splitting the subnet - as such:

netmask:    255.255.255.248
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-86
broadcast: xxx.95.87.87 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-82
broadcast: xxx.95.87.83 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.84 (theoretically unusable...)
usable:      xxx.95.87.85-86
broadcast: xxx.95.87.87 (unusable)

You lose two usable addresses, .83 & .84 in the split.

To answer your question 3 - yes you could if you had the whole 24 bit range and another router of your own that you control. The netscreen can also perform this function.

This is what ISPs tend to do here in Hong Kong - they give you one usable address with a 30 bit (255.255.255.252) mask - the other usable is taken up by their managed router and becomes the route of last resort. In order to do this they need to have their border routers and DSLAMs configured with network routes (or a routing protocol like RIP) so that traffic running through their networks knows where to be directed.

To be honest with you there are a thousand different ways to set up perimeter networks - it really depends on what you want to achieve. From the above information I think it is easier for you to go with MikeKane's recommendation. Should you decide down the track that you need more external addresses (for web servers etc - which *should* be on a service leg of the NS) then you can ask your ISP to widen your range and the reconfiguration of the netscreen involves only an alteration to the subnet mask.

Big answer first thing in the morning - hope this clears things up for you...




0
andyalderSaggar maker's framemakerCommented:
Have you done the first step of asking the ISP to cut the subnet into two for you? Not that you need them to tell you how to subnet but if you don't ask them to change the mask on their router and add a route to the other half of your subnet it ain't going to work.
0
donnatroniousAuthor Commented:
Is andyalder correct?
0
andyalderSaggar maker's framemakerCommented:
Is andyalder correct??>>Only if I guess your topology correctly.

If you split your netblock in half and don't tell the upstream router it will broadcast an arp discovery packet to find the IP address on the local network rather than relaying it on to the next hop router.
0
ferg-oCommented:

Umm - not really mate. All the ISP needs is a route configured to the network. If it is a 29 bit mask and you split it into 2 30 bit ones IP packets to either network will still go to your perimeter router. What it does with it from there is entirely up to you...

Whether or not this can be classified as good Internet etiquette is another thing entirely.
0
andyalderSaggar maker's framemakerCommented:
>>ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248

If you don't change the mask on *that* router how is it going to work? I'm guessing your topology is as below (paste to notepad to get monospaced font). If that is how you are trying to do it you have the ISP's router with /29 mask connected to your router with a /30 mask.


ISP----------ISP router on site----------nettopia------------netscreen-----------internal hosts
???----------??---------------/29----------/30---/30-----------/30-----/24-----------/24
--------------------------------------net1----------------DMZ--------------------LAN---------------------
0
andyalderSaggar maker's framemakerCommented:
How did you get it to work in a routing configuration without getting the mask changed on the ISP maintained router on your network or the mask on your router and forwarding the rest on via inbound NAT?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.