Need to add a firewall, need help with topology and design

We have a LAN of about 25 users in a 98/2000/XP environment.  Currently, we are running 1 2000 server machine that handles AD, Printers, and File Sharing, DNS, DHCP, etc.  All users currently have access to the internet through a Cisco 1720 Router on a Fractional T1.  The router is doing the NAT, and does not have firewall capabilities in IOS.

My goal is to be able to have a segment for our company LAN, a segment for a mailserver and eventually a web server, and a public segment for wireless internet access only.  I would also eventually like to have the ability to VPN into the company network to administer systems from home.

I do not want to purchase a separate firewall like a PIX.  I'm hoping to do this with what I have.

This is what I currently have:
        (192.168.1.x)   _____________
Private LAN ----------|                      |-----------****Internet (xxx.xxx.93.78)
                              |       Router     |
                              |____________ |


This is what I'm thinking I need to do, I just need some ideas...

                                        (192.168.30.x)____________ (192.168.50.x)___
Public Wireless Internet LAN---------------|                     |----------|           |--------****Internet (xxx.xxx.93.78)
                                      (192.168.1.x)  |                     |             |Router |
Private Internet and File/sharing LAN-----|  Linux            |             |______|
                                     (192.168.5.x)   |    Firewall      |
Mail/Web Server----------------------------|____________|

Will this topology work??  with the correct rules, is this an appropriate solution?

One thing I learned from playing with this is that I have a DHCP server on my Private LAN to assign IP addresses.  On my PUBLIC lan for wireless users, I do not have anything to assign IP addresses.  Is this something I should or should not do on my firewall for that particular interface facing the PUBLIC network?

Do I need more than one IP address from our ISP to host a mail or web server?  Can I just use the current one we have?

Thanks,

Deeky
deekyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chris_calabreseCommented:
This is a sound topology and an appropriate solution

You might want to consider OpenBSD instead of Linux, since it's geared specifically at this type of thing

The argument for a seperate DHCP server on the wireless link is that you don't have to worry about your firewall being breached if the DHCP server software has holes. The easiest way to do this is probably using a cheap intended-for-home-use wireless access point with built-in DHCP support.

You could probably get away without having additional IP addresses, but your life will be a lot easier if you have more IP's. In addition to IP's for the mail and web servers, you'll also want one for VPN since IPSec doesn't like NAT.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deekyAuthor Commented:
Let's talk a little more about additional IP addresses.  Is it possible to have more than one IP address on a single router external interface.  For example, I currently have a WIC 1DSU card in my serial0 on the router.  Would I need to add an additional card or have a router capable of multiple WIC cards in order to have additional IP addresses pointed toward my router from the internet?  I remember reading something about getting a block of addresses from my ISP???  If so what is this method called so that I can read about it?

In that case, will I be able to have one IP address used for our internet which runs NAT, one IP address for VPN that is routed without NAT, one ip address that is dedicated for email server, etc.?  

In the mean time, I'm going to look for OPENBSD and try to learn how to deploy.  I have spent quite a bit of time in Linux, but still haven't invested too much yet.  I presume they are similar from a command line point of view.

Thanks,

Deeky
0
chris_calabreseCommented:
There are two ways that your ISP could assign you IP addresses.

One is to give you a block that you use behind your router, in addition to the one for the front-end interface of the router. It should be obvious what to do in this case...

The other is to give you a few scattered IP's or a single block without the extra one for the front of your router.

You won't need multiple cards on your router in this case, but you need to tell your router to listen to multiple IP's on the same interface and then forward them to the other interface. There is a way to do this in Cisco IOS, but I don't remember the particular commands involved. And I don't know if it would be supported on your low-end router.

On the other other hand, you could ditch the router altogether and put a T1 card directly into the Linux/OpenBSD box...

As for OpenBSD, it also comes from a Unix heritage, so it's not entirely dissimilar to Linux. System administration stuff is pretty different, though. www.openbsd.org
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

deekyAuthor Commented:
I don't think I have the patience to learn yet another package like openbsd.  I am getting comfortable with Fedora 2 at both command line and GUI.

My next question regarding the firewall would be how would a PIX compare to an IPTABLES firewall running on Fedora 2?  Besides the maintenence factor of having essentially another computer with HDD and things to break down, is IPTABLES as powerful or a "good" alternative to a PIX solution, especially for the money.

Deeky
0
chris_calabreseCommented:
The main advantage to PIX, other than being easier to admin if you already have a Cisco infrastructure, is that it can handle all kinds of weird network protocols like H232, SIP, and streaming-media protocols that are very difficult to deal with in iptables.
0
deekyAuthor Commented:
Would either of these methods (PIX or IPTABLES) be able to have an ACCESS-LIST per say, or a way to say which workstations have the ability to access the internet?  I hear much about using Squid on Linux, but is it safe to run proxy server on the firewall or need yet another machine to do this?  If so, what is the best level to filter each workstation, by IP (which are dynamic), by hostname (which could be altered by the user), by MAC address which would be a pain to collect all of those numbers?  

Is there any method in the Linux realm that would read a users LOGIN name on a Windows 2000 domain and decide whether that USER has privileges, besides expensive ISA server?

Deeky
0
chris_calabreseCommented:
Either PIX or IPTABLES could easily limit users by IP address. I don't think either could filter by MAC, since they're IP-level devices - and even if they understood this concept it wouldn't work if you have any routers in the network.

I know there are PAM modules to let Linux systems see Windows 2000 domains, so you might be able to get Squid to work this way. In fact, I'd be surprised if somebody hasn't already done this - google is your friend here.
0
deekyAuthor Commented:
I think I could figure out how to filter by the IP address, but since they are assigned, they could change (even though most are very persistant), so...

I did purchase the newest BSD from their website (I try to support those causes when I can).  I will have to just fool with it.

Thanks for help, you have been a valuable tool for me.

Deeky
0
chris_calabreseCommented:
No problem. Glad to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.