Reply to Ted Doty's config:
R&D net--------------+
HR net--------------+
ACC net--------------+ router +----public access
each network has different source port filtering requirements. A way
I would propose as an easy approach: treat each pair separately and
develop its access topology. Then merge them all which results in an
overlay of the three access restriction topologies.
BUT: this is not a firewall router config! This is a very risky
direct public access.
A firewall with router looks like:
R&D net ------+
HR net ------+ local router +-+ firewall router +-public
ACC net ------+
The firewall router knows that no internal net comes in from the
public, hence no packet with source address (HR, ACC, R&D) either
comes in from public, or goes out to the private side.
And the port filtering is done purely on the firewall router, with
all the works.
To configure a router based firewall this way has many reasons:
1) public access is mostly max. T3, so a big performance is not
required towards the public interface.This allows either for a
smaller box, or for all the filterworks you like to do.
2) routing: the firewall router runs all inter system routing
processes, the local router runs only intra system routing
processes. The firewall router does the route propagation control
towards the public side.
3) ease of configuration: all local routers are intra system routers
and pretty much the same. Only one router is different: the firewall
router. sit back and maintain only a few skeleton configurations.
(this was 1, 2, many *-), all I can count (zero is done by
computers).
Mike
|
|
