Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

physical location of firewall

Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I connect the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL router)   ==>Switch 1 ==>Firewall 1 ==>internal network 1
Router 2 (Cable router) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the internal client's request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  
0
npinfotech
Asked:
npinfotech
  • 7
  • 6
1 Solution
 
npinfotechAuthor Commented:
basically what I am asking is if I have a firewall appliance separating multiple Wan routers from an internal network, will the firewall police all traffic that flows through it, regardless of configuration?
0
 
rsivanandanCommented:
No. It won't. The traffic from the XP Machine will straight away go to Router2 and so the firewall doesn't see it at all.

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
so, not all traffic that flows through a firewall is checked by the firewall.  the firewall has to be assigned as the gateway at all times?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
rsivanandanCommented:
No again. For the firewall to inspect the traffic, the traffic has to go through it. In your second case, the traffic doesn't go through the firewall at all. For example I have 2 internet connections like this;

ISP1-------
              Router--------Firewall------------Internal Hosts
ISP2-------

In this case, the internal host uses either one of this ISP link to go out to the internet but at any time the incoming and outgoing traffic passes through the firewall.

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
Thanks Rajesh.

Your answers confuses me a bit.  The diagram you drew has both wans connected to 1 router.  All traffic would pass through the firewall regardless of what the internal network PC uses as a gateway.  The scenario I was talking about does the same thing, only with 1 additional router.  

The one I was trying to draw would look like this(with IP addresses assigned):  

               (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall------------Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)

So, my internal host, with ip address 1.1.1.4, uses router 2 (1.1.1.2) as its gateway.  The traffic still has to go through the firewall to get to router 2.  Will the firewall block traffic anyway?  will the firewall monitor traffic originating from router 2 bound for my internal network??  
0
 
rsivanandanCommented:
Npinfotech,

  Sorry if I confused you. Okay, let me be clear now; In your case, the problem is that your internal host 1.1.1.4 bypassess the firewall and gets to Router2 eventhough both are plugged to the same switch, like this;

              (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall                Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)                                                              |
                         |                                                                |
                          ----------------------------------------------------

This is because you have the default gateway configured as Router2 on 1.1.1.4, so the switch will directly deliver the packet to Router2. Firewall doesn't see it at all. If you had the default gateway as 1.1.1.3, then it will go through the firewall. Remember the traffic between 1.1.1.4 and 1.1.1.2 *DOES NOT* go through the firewall.

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
Now worries, maybe i'm confusing myself!  

there is no way to get to 1.1.1.2 without passing through 1.1.1.3 physically.  all traffic bound for 1.1.1.1 or 1.1.1.2 has to pass through 1.1.1.3.  The switch between the routers and the firewall is just to connect the routers; it connects to nothign else but the routers and the firewall.  

If any traffic passes through the firewall, regardless or settings, will the firewall ignore it?
0
 
rsivanandanCommented:
If the traffic passes through the firewall then it will not ignore it. It will work on the traffic. But again, regardless of the connection (Physical connection) you have, if you have the default gateway as 1.1.1.2 on the machine 1.1.1.4 then it is not going to pass through the firewall. It is the basic tcp/ip networking model.

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
so, if 1.1.1.4 makes the request, will they just get a timeout or something?
0
 
rsivanandanCommented:
If 1.1.1.4 makes a request for internet and if it cannot reach 1.1.1.2, it will timeout. Otherwise if it can reach 1.1.1.2, traffic will pass through and you'll have non-firewalled internet.

Why don't you do this. Just do a tracert to a public ip address and see if it crosses your firewall address. It won't.

Cheers,
Rajesh
0
 
rsivanandanCommented:
NpInfotech,

  Did I help you? I mean did you figure it out? Just wanna make sure...

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
all i get when i try to tracert is "*.*.*.*" request timed out.  Then it will proceed to get the rest of the information as it normally should.

This happens no matter what i use as a gateway.
0
 
rsivanandanCommented:
Ok. but what I mentioned above is the standard behavior of a network.

Have a good day.

Cheers,
Rajesh
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now