Solved

Watchguard Firebox II and 700.

Posted on 2004-10-05
4
639 Views
Last Modified: 2013-11-16
HI,
Having a little trouble with configuring a watchguard firebox II, I also have a firebox 700, but see little difference between the 2 and will probably sell off the 700 as it is worth more.

The problem is I have configured the network interfaces on seperate networks - trusted interface - 192.168.0.1 - Optional Interface - 192.168.1.1 the external is set by DHCP. I have configured seperate HTTP Proxies for 2 types of access, limited and full access to the internet (trusted), Set up a Web server and FTP (optional) and this all seems to ok, the problem I am having is getting the optional and trusted interfaces to communicate, the servers on the optional cannot log into or see the network, I temporarily can around this by adding a 2nd Nic in the 3 public servers and assigning them trusted IP's, but I am sure there is a way to allow communications between my trusted and optional interfaces so files can be shared and websites developed etc, I just can't seem to get the 2 to communicate through the firebox.

I would also if possible if other than the mild CPU speed difference the benifits of the FBIII 700 and the Firebox II.

Once this part is done I am on to an exchange sever question I have regarding this network as well.

Thanks in advance.
0
Comment
Question by:flosoft
  • 2
  • 2
4 Comments
 

Author Comment

by:flosoft
ID: 12238627
a little more specific, I want my optional side servers to be able to log into the network and also allow file and print sharing with an optional > trusted and trusted > optional without opening up more than I need to.
0
 
LVL 2

Expert Comment

by:Abgraal
ID: 12338183
For the 1st question :
(why your optionnal cannot communicate whith the trusted while the trusted can communicate with the opt.)
You are using http proxies. This kind of proxy is particular : the outgoing http proxy take the charge of ALL your outgoing tcp connexions, but the incoming is only in charge of the HTTP connexions.
Then outgoing connexions are implicitly allowed, but you got to explicitly allow the incoming connexions. This depend on the type of access you want to allow. (Ask for any specific configuration help).
There is no problems with different IP adress on you interface (Firebox use reverse arp proxy)

If you want to allow file and computer sharing, just add the "SMB" service, and allow communication between you optional servers (based on IP adresses if you can) and the trusted zone.

Note that kind of configuration is not recommended, because it will allow incomming NetBios communication. NetBios is a very sensible protocol, with a lot of flaws, and then it is dangerous to allow incoming Netbios communications.


0
 

Author Comment

by:flosoft
ID: 12338591
So basically you are saying that there is no way to securely allow communications between the trusted and optional interfaces? This setup is in a small office so all equiptment is close together, if I simply add a second nic to all servers on the optional network, would this be a normal way of doing this? This way I would get communications for file / print and logon via the trusted nics and be able to serve the internet via the optionals as if I do not bridge the 2 nics. I do not believe that someone could take advantage of the trusted nic as they would never see it unless they were on the trusted interface correct? or would there be a way for someone to utilize the trusted nic?


Thanks
0
 
LVL 2

Accepted Solution

by:
Abgraal earned 250 total points
ID: 12338705
No, I don't say that there is no way to securely allow communication between trusted and optionnal.
The architecture I proposed you is secured, and I think it's the best way to do it.
I'm just saying than than NetBios is sensible : if a server in your DMZ is compromised, then the assaliant will probably use the open NetBios communications to get access to your internal NetWork.

If you use a second network card :
- If you use it to bypass comunications between trusted and dmz, this is not secured at all, because it will make an unfiltered bridge between dmz and trusted.
- If you use it to make firewall filters on the specific private IP of the new NICs, this would be as secured as the solution I proposed, but in this case you'll got to define a secondary network on the optional interface. And, once again, if your server in the optionnal is compromised, the assaliant could use it.

If you got additionnal questions, just ask !
Good luck.









0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now