Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need to add a firewall, need help with topology and design

Posted on 2004-10-21
9
Medium Priority
?
261 Views
Last Modified: 2013-11-16
We have a LAN of about 25 users in a 98/2000/XP environment.  Currently, we are running 1 2000 server machine that handles AD, Printers, and File Sharing, DNS, DHCP, etc.  All users currently have access to the internet through a Cisco 1720 Router on a Fractional T1.  The router is doing the NAT, and does not have firewall capabilities in IOS.

My goal is to be able to have a segment for our company LAN, a segment for a mailserver and eventually a web server, and a public segment for wireless internet access only.  I would also eventually like to have the ability to VPN into the company network to administer systems from home.

I do not want to purchase a separate firewall like a PIX.  I'm hoping to do this with what I have.

This is what I currently have:
        (192.168.1.x)   _____________
Private LAN ----------|                      |-----------****Internet (xxx.xxx.93.78)
                              |       Router     |
                              |____________ |


This is what I'm thinking I need to do, I just need some ideas...

                                        (192.168.30.x)____________ (192.168.50.x)___
Public Wireless Internet LAN---------------|                     |----------|           |--------****Internet (xxx.xxx.93.78)
                                      (192.168.1.x)  |                     |             |Router |
Private Internet and File/sharing LAN-----|  Linux            |             |______|
                                     (192.168.5.x)   |    Firewall      |
Mail/Web Server----------------------------|____________|

Will this topology work??  with the correct rules, is this an appropriate solution?

One thing I learned from playing with this is that I have a DHCP server on my Private LAN to assign IP addresses.  On my PUBLIC lan for wireless users, I do not have anything to assign IP addresses.  Is this something I should or should not do on my firewall for that particular interface facing the PUBLIC network?

Do I need more than one IP address from our ISP to host a mail or web server?  Can I just use the current one we have?

Thanks,

Deeky
0
Comment
Question by:deeky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 1200 total points
ID: 12374298
This is a sound topology and an appropriate solution

You might want to consider OpenBSD instead of Linux, since it's geared specifically at this type of thing

The argument for a seperate DHCP server on the wireless link is that you don't have to worry about your firewall being breached if the DHCP server software has holes. The easiest way to do this is probably using a cheap intended-for-home-use wireless access point with built-in DHCP support.

You could probably get away without having additional IP addresses, but your life will be a lot easier if you have more IP's. In addition to IP's for the mail and web servers, you'll also want one for VPN since IPSec doesn't like NAT.
0
 

Author Comment

by:deeky
ID: 12374569
Let's talk a little more about additional IP addresses.  Is it possible to have more than one IP address on a single router external interface.  For example, I currently have a WIC 1DSU card in my serial0 on the router.  Would I need to add an additional card or have a router capable of multiple WIC cards in order to have additional IP addresses pointed toward my router from the internet?  I remember reading something about getting a block of addresses from my ISP???  If so what is this method called so that I can read about it?

In that case, will I be able to have one IP address used for our internet which runs NAT, one IP address for VPN that is routed without NAT, one ip address that is dedicated for email server, etc.?  

In the mean time, I'm going to look for OPENBSD and try to learn how to deploy.  I have spent quite a bit of time in Linux, but still haven't invested too much yet.  I presume they are similar from a command line point of view.

Thanks,

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12374781
There are two ways that your ISP could assign you IP addresses.

One is to give you a block that you use behind your router, in addition to the one for the front-end interface of the router. It should be obvious what to do in this case...

The other is to give you a few scattered IP's or a single block without the extra one for the front of your router.

You won't need multiple cards on your router in this case, but you need to tell your router to listen to multiple IP's on the same interface and then forward them to the other interface. There is a way to do this in Cisco IOS, but I don't remember the particular commands involved. And I don't know if it would be supported on your low-end router.

On the other other hand, you could ditch the router altogether and put a T1 card directly into the Linux/OpenBSD box...

As for OpenBSD, it also comes from a Unix heritage, so it's not entirely dissimilar to Linux. System administration stuff is pretty different, though. www.openbsd.org
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:deeky
ID: 12558987
I don't think I have the patience to learn yet another package like openbsd.  I am getting comfortable with Fedora 2 at both command line and GUI.

My next question regarding the firewall would be how would a PIX compare to an IPTABLES firewall running on Fedora 2?  Besides the maintenence factor of having essentially another computer with HDD and things to break down, is IPTABLES as powerful or a "good" alternative to a PIX solution, especially for the money.

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12559705
The main advantage to PIX, other than being easier to admin if you already have a Cisco infrastructure, is that it can handle all kinds of weird network protocols like H232, SIP, and streaming-media protocols that are very difficult to deal with in iptables.
0
 

Author Comment

by:deeky
ID: 12559975
Would either of these methods (PIX or IPTABLES) be able to have an ACCESS-LIST per say, or a way to say which workstations have the ability to access the internet?  I hear much about using Squid on Linux, but is it safe to run proxy server on the firewall or need yet another machine to do this?  If so, what is the best level to filter each workstation, by IP (which are dynamic), by hostname (which could be altered by the user), by MAC address which would be a pain to collect all of those numbers?  

Is there any method in the Linux realm that would read a users LOGIN name on a Windows 2000 domain and decide whether that USER has privileges, besides expensive ISA server?

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12560075
Either PIX or IPTABLES could easily limit users by IP address. I don't think either could filter by MAC, since they're IP-level devices - and even if they understood this concept it wouldn't work if you have any routers in the network.

I know there are PAM modules to let Linux systems see Windows 2000 domains, so you might be able to get Squid to work this way. In fact, I'd be surprised if somebody hasn't already done this - google is your friend here.
0
 

Author Comment

by:deeky
ID: 12560224
I think I could figure out how to filter by the IP address, but since they are assigned, they could change (even though most are very persistant), so...

I did purchase the newest BSD from their website (I try to support those causes when I can).  I will have to just fool with it.

Thanks for help, you have been a valuable tool for me.

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12565333
No problem. Glad to help.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question