[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Need to add a firewall, need help with topology and design

Posted on 2004-10-21
9
Medium Priority
?
263 Views
Last Modified: 2013-11-16
We have a LAN of about 25 users in a 98/2000/XP environment.  Currently, we are running 1 2000 server machine that handles AD, Printers, and File Sharing, DNS, DHCP, etc.  All users currently have access to the internet through a Cisco 1720 Router on a Fractional T1.  The router is doing the NAT, and does not have firewall capabilities in IOS.

My goal is to be able to have a segment for our company LAN, a segment for a mailserver and eventually a web server, and a public segment for wireless internet access only.  I would also eventually like to have the ability to VPN into the company network to administer systems from home.

I do not want to purchase a separate firewall like a PIX.  I'm hoping to do this with what I have.

This is what I currently have:
        (192.168.1.x)   _____________
Private LAN ----------|                      |-----------****Internet (xxx.xxx.93.78)
                              |       Router     |
                              |____________ |


This is what I'm thinking I need to do, I just need some ideas...

                                        (192.168.30.x)____________ (192.168.50.x)___
Public Wireless Internet LAN---------------|                     |----------|           |--------****Internet (xxx.xxx.93.78)
                                      (192.168.1.x)  |                     |             |Router |
Private Internet and File/sharing LAN-----|  Linux            |             |______|
                                     (192.168.5.x)   |    Firewall      |
Mail/Web Server----------------------------|____________|

Will this topology work??  with the correct rules, is this an appropriate solution?

One thing I learned from playing with this is that I have a DHCP server on my Private LAN to assign IP addresses.  On my PUBLIC lan for wireless users, I do not have anything to assign IP addresses.  Is this something I should or should not do on my firewall for that particular interface facing the PUBLIC network?

Do I need more than one IP address from our ISP to host a mail or web server?  Can I just use the current one we have?

Thanks,

Deeky
0
Comment
Question by:deeky
  • 5
  • 4
9 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 1200 total points
ID: 12374298
This is a sound topology and an appropriate solution

You might want to consider OpenBSD instead of Linux, since it's geared specifically at this type of thing

The argument for a seperate DHCP server on the wireless link is that you don't have to worry about your firewall being breached if the DHCP server software has holes. The easiest way to do this is probably using a cheap intended-for-home-use wireless access point with built-in DHCP support.

You could probably get away without having additional IP addresses, but your life will be a lot easier if you have more IP's. In addition to IP's for the mail and web servers, you'll also want one for VPN since IPSec doesn't like NAT.
0
 

Author Comment

by:deeky
ID: 12374569
Let's talk a little more about additional IP addresses.  Is it possible to have more than one IP address on a single router external interface.  For example, I currently have a WIC 1DSU card in my serial0 on the router.  Would I need to add an additional card or have a router capable of multiple WIC cards in order to have additional IP addresses pointed toward my router from the internet?  I remember reading something about getting a block of addresses from my ISP???  If so what is this method called so that I can read about it?

In that case, will I be able to have one IP address used for our internet which runs NAT, one IP address for VPN that is routed without NAT, one ip address that is dedicated for email server, etc.?  

In the mean time, I'm going to look for OPENBSD and try to learn how to deploy.  I have spent quite a bit of time in Linux, but still haven't invested too much yet.  I presume they are similar from a command line point of view.

Thanks,

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12374781
There are two ways that your ISP could assign you IP addresses.

One is to give you a block that you use behind your router, in addition to the one for the front-end interface of the router. It should be obvious what to do in this case...

The other is to give you a few scattered IP's or a single block without the extra one for the front of your router.

You won't need multiple cards on your router in this case, but you need to tell your router to listen to multiple IP's on the same interface and then forward them to the other interface. There is a way to do this in Cisco IOS, but I don't remember the particular commands involved. And I don't know if it would be supported on your low-end router.

On the other other hand, you could ditch the router altogether and put a T1 card directly into the Linux/OpenBSD box...

As for OpenBSD, it also comes from a Unix heritage, so it's not entirely dissimilar to Linux. System administration stuff is pretty different, though. www.openbsd.org
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:deeky
ID: 12558987
I don't think I have the patience to learn yet another package like openbsd.  I am getting comfortable with Fedora 2 at both command line and GUI.

My next question regarding the firewall would be how would a PIX compare to an IPTABLES firewall running on Fedora 2?  Besides the maintenence factor of having essentially another computer with HDD and things to break down, is IPTABLES as powerful or a "good" alternative to a PIX solution, especially for the money.

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12559705
The main advantage to PIX, other than being easier to admin if you already have a Cisco infrastructure, is that it can handle all kinds of weird network protocols like H232, SIP, and streaming-media protocols that are very difficult to deal with in iptables.
0
 

Author Comment

by:deeky
ID: 12559975
Would either of these methods (PIX or IPTABLES) be able to have an ACCESS-LIST per say, or a way to say which workstations have the ability to access the internet?  I hear much about using Squid on Linux, but is it safe to run proxy server on the firewall or need yet another machine to do this?  If so, what is the best level to filter each workstation, by IP (which are dynamic), by hostname (which could be altered by the user), by MAC address which would be a pain to collect all of those numbers?  

Is there any method in the Linux realm that would read a users LOGIN name on a Windows 2000 domain and decide whether that USER has privileges, besides expensive ISA server?

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12560075
Either PIX or IPTABLES could easily limit users by IP address. I don't think either could filter by MAC, since they're IP-level devices - and even if they understood this concept it wouldn't work if you have any routers in the network.

I know there are PAM modules to let Linux systems see Windows 2000 domains, so you might be able to get Squid to work this way. In fact, I'd be surprised if somebody hasn't already done this - google is your friend here.
0
 

Author Comment

by:deeky
ID: 12560224
I think I could figure out how to filter by the IP address, but since they are assigned, they could change (even though most are very persistant), so...

I did purchase the newest BSD from their website (I try to support those causes when I can).  I will have to just fool with it.

Thanks for help, you have been a valuable tool for me.

Deeky
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12565333
No problem. Glad to help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question