SUMMARY: firewall configuration hel

From: Michel Pilon (pilonm@ccg.rncan.gc.ca)
Date: Thu Dec 18 1997 - 12:46:25 CST


Hello,

First of all, I want to apologize to send this question to the sun mailing
list instead of the firewall mailing list...!

But of course, as you are the best, I got many answers to my question :-)

The answer is that configuration b) is better. (90%)

Why? Because I have more flexibility to manage my DMZ. I can easily protect
my DMZ also (which then is no longer a DMZ ;-) ). And if I want to open
all the services to my "DMZ" from my firewall, I will be able to log all
the activities!!!

I can also have a firewall backup by configuring another Sun box with firewall-1
and with the same IP address. If the first goes down I just have to replace
it by the second.

A big thank to:

Dan Hubbard <dhubbard@thepalace.com>
Stephen Frost <sfrost@mitretek.org>
Rob Bringham<rob@trion.com>
iwallace@bcoe.bm (Ian Wallace)
matthew zeier <mrz@3com.com>
Charlie Mengler <charliem@anchorchips.com>
"Paquette, Trevor" <TrevorPaquette@mcc.net>
Jay Morgan <jmorgan@qualix.com>
Mike Chang <machang@pfoo.com>
Steve Kilgore <isskilg@dca.ca.gov>

The original question was:

>We are in the process to implement a new Firewall configuration and I would
>like to know which Firewall configuration seems to be the best between the
>2 following suggestions?
>
>a) Here the HTTP, FTP, and News Server resides on the DMZ (DeMilitarized
Zone).
> So only the local network is protected by the firewall (Hence from the
> firewall point of view, the local network is internal and the DMZ is
> external).
>
>
> INTERNET
> |
> |
> |
> ROUTER (with anti-spoofing capab.) --
> | |
> HTTP Server | FTP Server |
> | | | |
D
> | | | |
M
> |-----------------------------------------------------| 201.6.5.0 |
Z
> | | |
> | | |
> | | |
> Firewall (FW1) News Server --
> |
> |
> |
> |---------------------------------------------| Local Network
> | | | 10.0.0.0
> | | |
> | | |
> Host1 Host2 Host3
>
>
>
>
>b) Here the firewall is protecting two internal networks. The problem
> I am seeing here is that I have one single point of failure (the
firewall).
> But the 28.0.0.0 network is protected. Here, from the firewall point
> of view, both 28.0.0.0 and 10.0.0.0 are internals.
>
>
>
> INTERNET
> | ---
> | |
> | |
> ROUTER (with anti-spoofing capab.) |
> | |--- FTP
Served
> | |
> | |
> |---------------------------------| |--- News
Server
> | |
> | |
> | |
> FireWall ----------------------------------|
> | |
> | |--- HTTP
Server
> | |
> | ---
> |---------------------------------------------|
> | | | Local Network 28.0.0.0
> | | | 10.0.0.0
> | | |
> Host1 Host2 Host3
>
>
>So, which configuration is the best?



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:11 CDT