Re: switch recommendations

Here's how it works.

   1. Firewall #2 is the gateway for the LAN. All LAN traffic will go
      through Firewall #2 first.
   2. The outside interface of Firewall #2 plugs into the switch on the DMZ
   3. The inside interface of Firewall #1 plugs into the switch on the DMZ
   4. The outside interface of Firewall #1 plugs into the Internet (
      cable or DSL )
   5. Things like web servers will be plugged into the switch on the DMZ
   6. Firewall #2 will only allow traffic from the LAN to access the
      Internet ( email, web surfing etc... ). All traffic from the
      outside will be blocked.

Lets say you have a company web server. Untrusted users from the
Internet will be accessing it so we place it on the DMZ. Because it is
not directly connected to the Internet Firewall #1 will forward all
traffic on port 80 ( web traffic ) to the web server on the DMZ. Thus
giving web surfers on the net access to the company website.

If the web server gets hacked you don't have to worry about your
internal LAN. Firewall #2 protects the LAN by blocking all outside
traffic. This includes traffic from the DMZ.

In some cases you may not need Firewall #1 but I'll leave that out for now.

Fielder George Dowding wrote:

> Hmmm... A couple of thoughts ...
>
> Why DMZ after Firewall #2?
>
> What does the SWITCH do?
>
> Is Firewall #2 on each workstation?
>
> I realize drawing in ASCII has its limitations.
>
> fgd.
>
> dhull wrote:
>
>> I'm with you on this. OpenBSD rules!
>> I should mention that I don't know much about VLAN's. Having said
>> that I still stand by my previous statement. "Most networks don't
>> need them."
>> It may add a layer of security but it's also one more thing you have
>> to manage. A simple DMZ solution is 2 OpenBSD firewalls with a DMZ in
>> the middle.
>> INET<----->[Firewall #1]<----->[SWITCH]<----->[Firewall #2]<----->[LAN]
>> |
>> |
>> |
>> [DMZ]
>>
>> For me it comes down to two things. How much security will it give
>> me? How much management do I have to do to get that security?
>> In this case were talking about a 48 port switch. Lets say we have 40
>> workstations. That leaves us with a few extra ports for servers
>> etc... Lets say they have one file server that they all have access
>> to. No amount of VLAN's is going to prevent someone on the inside
>> from hacking the server and accessing data they shouldn't have access
>> to.
>>
>> This is just my take on VLAN's. If someone can give me a reason for
>> using VLAN's on a network with 40 workstations let me know. Again, I
>> don't no a lot about VLAN's.
>>
>>
>> -------Original Message-------
>>
>>> From: lee <lee@afabco.com>
>>> Subject: re: switch recommendations
>>> Sent: Aug 27 '05 10:22
>>>
>>> Well, I'll throw my .02 in this discussion.=20=20=20
>>>
>>> This is one of the few times I'll go ahead and say something like
>>> this.=20=
>>> =20
>>>
>>> For anything more sophisticated than a dumb linksys can handle (and the
>>> vlan requirement tells me that this falls into that category), well,
>>> Cisco owns the world' *shrug*. end of story.=20=20
>>>
>>> I have not, on balance been displeased with their switches (we have a
>>> number of 3550's and some other ones. Be aware tho that cisco loves to
>>> dollar and ten you to death. No question that they are in it for the
>>> money.=20=20
>>>
>>> Plus, there's plenty of cisco expertise floating around.=20
>>>
>>> Of course, as always, there may be specific technical requirements or
>>> other requirements that indicate something other than cisco.
>>>
>>> Firewalls are a different story. I'm a bit more suspicious of the
>>> PIX'es. I come from the school of "if it ain't open, it ain't
>>> secure".=20
>>> When I have a choice, I use openbsd. None of my stuff is high enough
>>> traffic that that'll matter.=20=20
>>>
>>> On the other hand, most of the managerial technopeasantry is more
>>> comfortable with the 'warm and fuzzy' that comes with the "cisco" name.
>>>
>>> As far as VLANs go, they're useful, but it's easy to go overboard on
>>> them (I did <g>). And I'm not sure I'd do a DMZ or a red zone on the
>>> same box I had safe vlans on. The literature has howtos on how to
>>> sniff
>>> the packets (particularly if the bad guys can get on a trunk). Plus
>>> I'm
>>> more 'warm and phuzzy' with physical separation. YMMV, of course.
>>>
>>> In any case, let us know what you decide, and why.
>>> --=20
>>> AFABCO
>>> afabco.com
>>>
>>> --=20
>>> http://www.fastmail.fm - Same, same, but different=85
>>>
>>> ---------
>>> To unsubscribe, send email to <aklug-request@aklug.org>
>>> with 'unsubscribe' in the message body.
>>>
>>>
>>
>> -------Original Message-------
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>>
>>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Aug 27 17:07:28 2005