Solved

True DMZ configuration

Posted on 2003-11-21
15
2,569 Views
Last Modified: 2012-08-13
Goal:  Too set up a true dmz using a packet filtering boundary router and an actual firewall/VPN.  This is not a service leg configuration.

Question:  I am unsure about the config for the network configuration of the DMZ network.  I have 4 public IP’s at my disposal.  It is my understanding that in this configuration I will have a completely separate network as the DMZ.  I know that I can have a private DMZ with mapped IPs for services or I can have a public DMZ.  What I really need is diagrams showing the interface configurations of the boundary router and firewall.  Or if someone could fill in the question marks below that might help.  The boundary router is netopia r9100 and the firewall is netscreen 5gt.

Boundary Router

External Interface
IP: XX.95.87.82
Mask: 255.255.255.248
Gateway:  XX.95.87.81
Internal Interface
IP: ?.?.?.?
Mask: 255.255.255.0

Firewall/VPN

External Interface
IP: ?.?.?.?
Mask:255.255.255.0
Gateway: ?.?.?.?
Internal Interface
IP: 192.168.1.1
Mask: 255.255.255.0
0
Comment
Question by:donnatronious
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
  • +1
15 Comments
 
LVL 4

Accepted Solution

by:
ferg-o earned 300 total points
ID: 9808974

I can't post diagrams here but this will do the job you are after:

Router:
External Interface
IP: XX.95.87.82
Mask: 255.255.255.252
Gateway:  XX.95.87.81
Internal Interface
IP: XX.95.87.83
Mask: 255.255.255.252

Firewall/VPN
External Interface
IP: XX.95.87.84
Mask:255.255.255.252
Gateway: XX.95.87.83

Hope this helps - regards...




0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9818061
DMZ can be setup a different ways depending upon what services you need to deliver.  

A few questions,

1) Why does your router have public IP's for both internal and External?   Is it managed by you or the ISP?  

2) Does the  netscreen allow you to create  multiple interfaces like a 3 pronged firewall? I am not familiar with the netscreen product, but the theory is the same.  

3)  What services do you want in the DMZ?  



If your ip's on the router can't change then the diagram from ferg-o is correct.   Your firewall VPN can now redirect ports to internal servers.      
0
 

Author Comment

by:donnatronious
ID: 9819308
MikeKane

Its like this,

Internet Cloud
ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248 I have 82 through 86 for my use.
Netopia/Statefull Inspection Firewall:
Netscreen Application Firewall/VPN
Internal Private Network

1)  NAT will be performed by the Netscreen.  So I assume DMZ will be public.  I can't have double NAT right?
2)  I don't want a 3 pronged or so called "service leg" firewall.  I want a true double firewall DMZ.
3)  Services in the DMZ will be the VPN on the Netscreen and a possible bastion host webserver at a later date.

More questions.  
1)  Referring too the proposed configuration by ferg-o, I didn't think that a routers internal and external interface could be on the same network?
2)  I guess the above configuration would leave me 2 IPs too put other services on in the network. .85 and .86.
3)  Is it true that I could define 64 other subnets on the boundary router with 2 hosts each?
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:donnatronious
ID: 9819319
Both you guys are a lot of help.  It looks like I will soon be splitting points.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9819358
BTW, Donnatronious, go and collect you r points from an open question I had for your.   Check my open question status and you'll see your points.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 200 total points
ID: 9819462
IF the router is managed by the ISP, then I wouldn't go asking them to mess with it, I find that with my local ISP's, they tend to cause more problems when I ask them to do anything.   But that's your call based on your relationship with them.  

It is odd that the router would use the same subnet on both segments unless you are subnetting.  

The usual setup is this

INTERNET CLOUD
|
Router
Internal .81
|
External .82
Firewall
Internal 192.168.1.1

The firewall could assign STATICs to internal services for specific IPs or port forwarding to spread 1 ip's services amoung multiple internal hosts.    

Keep .83 for PAT'ing so internal users can get out, that leave 84 85 and 86 for your use.  
0
 

Author Comment

by:donnatronious
ID: 9819863
MikeKane

I don't understand why you are giving me points?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9819899
That was from like 8 months ago.    It was an assist from an old question.  And I felt that the author should have split points.   Look at tthe date, it was back in June
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9822120
Donnatronius - when I split the subnet from 255.255.255.248 to 255.255.255.252 I put the addresses into different subnets.

I have had to do this a lot in the past doing firewall installations and I can vouch that it works - with layer 7 firewalls sometimes clients like to use valid IPs on their DMZs as NAT doesn't necessarily enhance security.

I agree with MikeKane though that if it is not your router that is the route of last resort then best not to mess with it - do as he says and keep the addresses in your external net - you waste them by splitting the subnet - as such:

netmask:    255.255.255.248
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-86
broadcast: xxx.95.87.87 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-82
broadcast: xxx.95.87.83 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.84 (theoretically unusable...)
usable:      xxx.95.87.85-86
broadcast: xxx.95.87.87 (unusable)

You lose two usable addresses, .83 & .84 in the split.

To answer your question 3 - yes you could if you had the whole 24 bit range and another router of your own that you control. The netscreen can also perform this function.

This is what ISPs tend to do here in Hong Kong - they give you one usable address with a 30 bit (255.255.255.252) mask - the other usable is taken up by their managed router and becomes the route of last resort. In order to do this they need to have their border routers and DSLAMs configured with network routes (or a routing protocol like RIP) so that traffic running through their networks knows where to be directed.

To be honest with you there are a thousand different ways to set up perimeter networks - it really depends on what you want to achieve. From the above information I think it is easier for you to go with MikeKane's recommendation. Should you decide down the track that you need more external addresses (for web servers etc - which *should* be on a service leg of the NS) then you can ask your ISP to widen your range and the reconfiguration of the netscreen involves only an alteration to the subnet mask.

Big answer first thing in the morning - hope this clears things up for you...




0
 
LVL 55

Expert Comment

by:andyalder
ID: 9868832
Have you done the first step of asking the ISP to cut the subnet into two for you? Not that you need them to tell you how to subnet but if you don't ask them to change the mask on their router and add a route to the other half of your subnet it ain't going to work.
0
 

Author Comment

by:donnatronious
ID: 9870346
Is andyalder correct?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 9870638
Is andyalder correct??>>Only if I guess your topology correctly.

If you split your netblock in half and don't tell the upstream router it will broadcast an arp discovery packet to find the IP address on the local network rather than relaying it on to the next hop router.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9872629

Umm - not really mate. All the ISP needs is a route configured to the network. If it is a 29 bit mask and you split it into 2 30 bit ones IP packets to either network will still go to your perimeter router. What it does with it from there is entirely up to you...

Whether or not this can be classified as good Internet etiquette is another thing entirely.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 9873391
>>ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248

If you don't change the mask on *that* router how is it going to work? I'm guessing your topology is as below (paste to notepad to get monospaced font). If that is how you are trying to do it you have the ISP's router with /29 mask connected to your router with a /30 mask.


ISP----------ISP router on site----------nettopia------------netscreen-----------internal hosts
???----------??---------------/29----------/30---/30-----------/30-----/24-----------/24
--------------------------------------net1----------------DMZ--------------------LAN---------------------
0
 
LVL 55

Expert Comment

by:andyalder
ID: 10176723
How did you get it to work in a routing configuration without getting the mask changed on the ISP maintained router on your network or the mask on your router and forwarding the rest on via inbound NAT?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question