Solved

Need to add a firewall, need help with topology and design

Posted on 2004-10-21
256 Views
Last Modified: 2013-11-16
We have a LAN of about 25 users in a 98/2000/XP environment.  Currently, we are running 1 2000 server machine that handles AD, Printers, and File Sharing, DNS, DHCP, etc.  All users currently have access to the internet through a Cisco 1720 Router on a Fractional T1.  The router is doing the NAT, and does not have firewall capabilities in IOS.

My goal is to be able to have a segment for our company LAN, a segment for a mailserver and eventually a web server, and a public segment for wireless internet access only.  I would also eventually like to have the ability to VPN into the company network to administer systems from home.

I do not want to purchase a separate firewall like a PIX.  I'm hoping to do this with what I have.

This is what I currently have:
        (192.168.1.x)   _____________
Private LAN ----------|                      |-----------****Internet (xxx.xxx.93.78)
                              |       Router     |
                              |____________ |


This is what I'm thinking I need to do, I just need some ideas...

                                        (192.168.30.x)____________ (192.168.50.x)___
Public Wireless Internet LAN---------------|                     |----------|           |--------****Internet (xxx.xxx.93.78)
                                      (192.168.1.x)  |                     |             |Router |
Private Internet and File/sharing LAN-----|  Linux            |             |______|
                                     (192.168.5.x)   |    Firewall      |
Mail/Web Server----------------------------|____________|

Will this topology work??  with the correct rules, is this an appropriate solution?

One thing I learned from playing with this is that I have a DHCP server on my Private LAN to assign IP addresses.  On my PUBLIC lan for wireless users, I do not have anything to assign IP addresses.  Is this something I should or should not do on my firewall for that particular interface facing the PUBLIC network?

Do I need more than one IP address from our ISP to host a mail or web server?  Can I just use the current one we have?

Thanks,

Deeky
0
Question by:deeky
    9 Comments
     
    LVL 14

    Accepted Solution

    by:
    This is a sound topology and an appropriate solution

    You might want to consider OpenBSD instead of Linux, since it's geared specifically at this type of thing

    The argument for a seperate DHCP server on the wireless link is that you don't have to worry about your firewall being breached if the DHCP server software has holes. The easiest way to do this is probably using a cheap intended-for-home-use wireless access point with built-in DHCP support.

    You could probably get away without having additional IP addresses, but your life will be a lot easier if you have more IP's. In addition to IP's for the mail and web servers, you'll also want one for VPN since IPSec doesn't like NAT.
    0
     

    Author Comment

    by:deeky
    Let's talk a little more about additional IP addresses.  Is it possible to have more than one IP address on a single router external interface.  For example, I currently have a WIC 1DSU card in my serial0 on the router.  Would I need to add an additional card or have a router capable of multiple WIC cards in order to have additional IP addresses pointed toward my router from the internet?  I remember reading something about getting a block of addresses from my ISP???  If so what is this method called so that I can read about it?

    In that case, will I be able to have one IP address used for our internet which runs NAT, one IP address for VPN that is routed without NAT, one ip address that is dedicated for email server, etc.?  

    In the mean time, I'm going to look for OPENBSD and try to learn how to deploy.  I have spent quite a bit of time in Linux, but still haven't invested too much yet.  I presume they are similar from a command line point of view.

    Thanks,

    Deeky
    0
     
    LVL 14

    Expert Comment

    by:chris_calabrese
    There are two ways that your ISP could assign you IP addresses.

    One is to give you a block that you use behind your router, in addition to the one for the front-end interface of the router. It should be obvious what to do in this case...

    The other is to give you a few scattered IP's or a single block without the extra one for the front of your router.

    You won't need multiple cards on your router in this case, but you need to tell your router to listen to multiple IP's on the same interface and then forward them to the other interface. There is a way to do this in Cisco IOS, but I don't remember the particular commands involved. And I don't know if it would be supported on your low-end router.

    On the other other hand, you could ditch the router altogether and put a T1 card directly into the Linux/OpenBSD box...

    As for OpenBSD, it also comes from a Unix heritage, so it's not entirely dissimilar to Linux. System administration stuff is pretty different, though. www.openbsd.org
    0
     

    Author Comment

    by:deeky
    I don't think I have the patience to learn yet another package like openbsd.  I am getting comfortable with Fedora 2 at both command line and GUI.

    My next question regarding the firewall would be how would a PIX compare to an IPTABLES firewall running on Fedora 2?  Besides the maintenence factor of having essentially another computer with HDD and things to break down, is IPTABLES as powerful or a "good" alternative to a PIX solution, especially for the money.

    Deeky
    0
     
    LVL 14

    Expert Comment

    by:chris_calabrese
    The main advantage to PIX, other than being easier to admin if you already have a Cisco infrastructure, is that it can handle all kinds of weird network protocols like H232, SIP, and streaming-media protocols that are very difficult to deal with in iptables.
    0
     

    Author Comment

    by:deeky
    Would either of these methods (PIX or IPTABLES) be able to have an ACCESS-LIST per say, or a way to say which workstations have the ability to access the internet?  I hear much about using Squid on Linux, but is it safe to run proxy server on the firewall or need yet another machine to do this?  If so, what is the best level to filter each workstation, by IP (which are dynamic), by hostname (which could be altered by the user), by MAC address which would be a pain to collect all of those numbers?  

    Is there any method in the Linux realm that would read a users LOGIN name on a Windows 2000 domain and decide whether that USER has privileges, besides expensive ISA server?

    Deeky
    0
     
    LVL 14

    Expert Comment

    by:chris_calabrese
    Either PIX or IPTABLES could easily limit users by IP address. I don't think either could filter by MAC, since they're IP-level devices - and even if they understood this concept it wouldn't work if you have any routers in the network.

    I know there are PAM modules to let Linux systems see Windows 2000 domains, so you might be able to get Squid to work this way. In fact, I'd be surprised if somebody hasn't already done this - google is your friend here.
    0
     

    Author Comment

    by:deeky
    I think I could figure out how to filter by the IP address, but since they are assigned, they could change (even though most are very persistant), so...

    I did purchase the newest BSD from their website (I try to support those causes when I can).  I will have to just fool with it.

    Thanks for help, you have been a valuable tool for me.

    Deeky
    0
     
    LVL 14

    Expert Comment

    by:chris_calabrese
    No problem. Glad to help.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now