• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

Watchguard Firebox II and 700.

HI,
Having a little trouble with configuring a watchguard firebox II, I also have a firebox 700, but see little difference between the 2 and will probably sell off the 700 as it is worth more.

The problem is I have configured the network interfaces on seperate networks - trusted interface - 192.168.0.1 - Optional Interface - 192.168.1.1 the external is set by DHCP. I have configured seperate HTTP Proxies for 2 types of access, limited and full access to the internet (trusted), Set up a Web server and FTP (optional) and this all seems to ok, the problem I am having is getting the optional and trusted interfaces to communicate, the servers on the optional cannot log into or see the network, I temporarily can around this by adding a 2nd Nic in the 3 public servers and assigning them trusted IP's, but I am sure there is a way to allow communications between my trusted and optional interfaces so files can be shared and websites developed etc, I just can't seem to get the 2 to communicate through the firebox.

I would also if possible if other than the mild CPU speed difference the benifits of the FBIII 700 and the Firebox II.

Once this part is done I am on to an exchange sever question I have regarding this network as well.

Thanks in advance.
0
flosoft
Asked:
flosoft
  • 2
  • 2
1 Solution
 
flosoftAuthor Commented:
a little more specific, I want my optional side servers to be able to log into the network and also allow file and print sharing with an optional > trusted and trusted > optional without opening up more than I need to.
0
 
AbgraalCommented:
For the 1st question :
(why your optionnal cannot communicate whith the trusted while the trusted can communicate with the opt.)
You are using http proxies. This kind of proxy is particular : the outgoing http proxy take the charge of ALL your outgoing tcp connexions, but the incoming is only in charge of the HTTP connexions.
Then outgoing connexions are implicitly allowed, but you got to explicitly allow the incoming connexions. This depend on the type of access you want to allow. (Ask for any specific configuration help).
There is no problems with different IP adress on you interface (Firebox use reverse arp proxy)

If you want to allow file and computer sharing, just add the "SMB" service, and allow communication between you optional servers (based on IP adresses if you can) and the trusted zone.

Note that kind of configuration is not recommended, because it will allow incomming NetBios communication. NetBios is a very sensible protocol, with a lot of flaws, and then it is dangerous to allow incoming Netbios communications.


0
 
flosoftAuthor Commented:
So basically you are saying that there is no way to securely allow communications between the trusted and optional interfaces? This setup is in a small office so all equiptment is close together, if I simply add a second nic to all servers on the optional network, would this be a normal way of doing this? This way I would get communications for file / print and logon via the trusted nics and be able to serve the internet via the optionals as if I do not bridge the 2 nics. I do not believe that someone could take advantage of the trusted nic as they would never see it unless they were on the trusted interface correct? or would there be a way for someone to utilize the trusted nic?


Thanks
0
 
AbgraalCommented:
No, I don't say that there is no way to securely allow communication between trusted and optionnal.
The architecture I proposed you is secured, and I think it's the best way to do it.
I'm just saying than than NetBios is sensible : if a server in your DMZ is compromised, then the assaliant will probably use the open NetBios communications to get access to your internal NetWork.

If you use a second network card :
- If you use it to bypass comunications between trusted and dmz, this is not secured at all, because it will make an unfiltered bridge between dmz and trusted.
- If you use it to make firewall filters on the specific private IP of the new NICs, this would be as secured as the solution I proposed, but in this case you'll got to define a secondary network on the optional interface. And, once again, if your server in the optionnal is compromised, the assaliant could use it.

If you got additionnal questions, just ask !
Good luck.









0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now