Date 2.2.95
Subject Some questions
>From John B*hrer
To FireWalls Digest
Some questions
(Internet)
1) I've seen this diagram proposed in recent postings:
Internet -- Router1 -- Firewall -- Router2 -- Internal Network
What's the purpose of Router2 ? That is, what extra security does it
provide? Can't I accomplish the same thing with proper configurations of
Router1 and the Firewall itself? Assuming that the Router -- Firewall
connections are in fact subnets (and not some sort of serial link), I would
call the first subnet (Router1 -- FireWall) a DMZ, for low-security hosts
visible to the outside world. Functionally speaking, what would you call the
subnet between the Firewall and Router2 ?
2) I see the point of this configuration:
Internet -- Router1 -- Firewall -- Internal Network
but recently someone proposed this:
Internet -- Firewall -- Router1 -- Internal Network
Although this makes it easier to restrict internal users from going outside,
does this offer any more security against the outside world coming in ? I
can see that the latter supports more logging than the first scenario, ie,
when the router disallows an inbound packet, this generally isn't logged,
but a firewall computer can do it.
3) FWTK vs. Socks: I'm wondering about this too. Any objections if I run
both systems on the Firewall, dividing my services accordingly ? For
example, I like the convenience of Socks FTP, but I suspect that the TIS
http-gw can offer more security for WWW.
4) Subnets: Class-A's were gone long ago, and a mere mortal can't get a
Class-B, so we "grass roots" administrators must put up with a single
Class-C address for our sites. Of course I need sub-networks, but the policy
of "forbidding all zeros / all ones" in a subnet address is just too
restrictive. I don't care what the RFC says, I'm not going to throw away a
good chunk of my address range just to install subnets! (eg: one-bit subnet
= throw away ALL usable host addresses, 2-bits = throw away half, 3-bits =
throw away 25%, 4-bits = limited to 14 machines per subnet, no way!)
Given that I'm ignoring this discriminatory restriction and doing it anyway
(I don't support broadcast-to-all-nets or "this-network" references), do you
see any security holes as a result? Does it matter if my DMZ subnet is the
"illegal" upper network with a mask of 255.255.255.192 ? I'm using Cisco
routers if that makes any difference. Who uses these reserved subnet bands
anyway?
John Buehrer jdb @
ecofin .
ch
Ecofin, AG phone: +411 / 201 68 33
Lavaterstr. 45 fax: +411 / 202 89 47
CH-8027 Zurich
Switzerland
Follow-Ups:
|
|
