We're working on a major network overhaul in anticipation of future demands...
Our current setup is quite simple, and serves only as a temporary setup until
the new layout is hashed out.
To get a little perspective on what we're trying to do, let me tell you a bit
about the company. Its an ISP of sorts, but we deal soley with corporate
customers or bulk buyers. As a result, our security policy has to be loose
enough to allow them to do the things clients want to do, while at the same
time, protecting our office from being overrun with little kneebiters...
Here's a peek at the current setup
current
=======
+----------+ +---------+
+---|portmaster| +---|mail/news|
| +----------+ | +---------+
+--------+ +----------+ | | +------+
|internet|-T1-|cisco 2501|--inside net--+---------+-----|office|
+--------+ +----------+ | +------+
| +-------+
+---|webhost|
+-------+
cisco currently filters out all incoming traffic but http to webhost, smtp
and nntp to mail/news, ssh to webhost, dns datagrams to webhost and
mail/news host, and ports over 1024. Obviously this is a problem as a
large network space is wide open.
Our planned network would look something like the following...
planned
=======
+-------------------+
+---|co-located machines|
+----+ | +-------------------+
|isdn|---+ | +----------+ +---------+
+----+ | | +---|portmaster| +---|news/mail|
| | | +----------+ | +---------+
+--------+ +-----+----+ | | +--------+ +-----+ | +------+
|internet|-T1-|cisco 7000|--outside net--|firewall|--|cisco|--inside--|office|
+--------+ +-----+----+ +--------+ +-----+ | +------+
| | +-------+
| +------------+ +---|webhost|
+---|leased lines| +-------+
+------------+
in the planned network, the cisco 7000 filters out all unnecessary
incoming traffic to the outside net. Filters for leased lines, isdn will
be handled on an individual basis. Co-located machines are web servers,
ftp servers, etc that clients have paid to locate on our network. The
firewall will run http, smtp, nntp, and pop proxies (at least) which will
retrieve things from the appropriate host on the inside net. An important
requirement of the firewall is that we be able to easily add proxies as
needed for other services. In addition, adding virtual interfaces to the
external firewall interface would be very useful as we serve several
domain's on our internal network. Ideally nothing would actually be
hosted on the firewall. Internal and external dns servers will also be
run on the firewall. The cisco on the other side of the firewall would simply
filter out all traffic not coming from the firewall.
I'm looking for any critique's/suggestions you all might have as to what sort
of firewall product/machine we should look into, and how feasible/secure the
above setup is.
Thanks!
--
- Matthew E Cable / Systems Administrator / Internet Technologies Group, Inc.
/ Cambridge, MA / http://www.itg.net/~mec
|
|
