Firewalls: Re: firewall perimeter networks wasting addresses?

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: firewall perimeter networks wasting addresses?
From:	woycke @ mitre . org (Daniel W. Woycke)
Date:	Thu, 6 Oct 1994 08:50:59 -0400
To:	Brent McClure <bmcclur @ basis . com>, Firewalls @ GreatCircle . COM

At  9:41 AM 10/5/94 -0600, Brent McClure wrote:
>In reviewing the notes from a workshop on firewalls I found a specific
>description of an "ideal" firewall setup that involves setting up
>a perimeter network that has its own class C address.  The statement was
>made that it is "easy to get another class C address from the NIC for
>your perimeter net".
>
>I have been informed by our internet provider that he's not that thrilled
>to give up one of the addresses from his block for this purpose, and I
>suspect that the NIC isn't glad to see more addresses gobbled up in this way.
>Yes, I know there are millions left, but at one point we probably thought there
>were though class B addresses too.
>
>Since it appears that a single dual-homed host as a firewall has limitations,
>then isn't there a solution using a perimeter network that can be implemented
>where the perimeter network is simply a subnet of your current address rather
>than having to ask for another address?
>
>thanks, Brent

It is possible to use just one class C address to build a firewall.  Use
"Class C subnetting".  By taking a Class C address and subnetting it into
smaller networks you can build three separate networks off of one class C
address.
For Example:

        Addresses  Subnet Mask
        199.1.1.0  255.255.255.248

Allows you to have a network number (199.1.1.0), a router (199.1.1.1), two
hosts (199.1.1.2, 199.1.1.3), and a broadcast (199.1.1.4).  The other side
of the firewall has the same netmask and the next set up of IP addresses.
On the other side of the internal router you have, I think, 243 addresses
left in the Class C space.  Now, you might need more than this, but then
you would probably need another Class C soon anyways...

Thank You,

Daniel W. Woycke             |"I went out drinking with Thomas
Information Engineer (c) 1992|Paine..." -- Billy Bragg
The MITRE Corporation        |"But I am still thirsty..."
7525 Colshire Drive (MS Z213)|-- Arrested Development
McLean, VA   22102           |These opinions are mine and are not
woycke @
 smiley .
 mitre .
 org      |and will not be held by anyone else.

Indexed By Date	Previous:	Re: Wrapper? From: "Roderick Murchison, Jr." <murchiso @ Newbridge . COM>
Indexed By Date	Next:	syslogd risk From: jimc @ e-Commerce . Com (Jim Carroll)
Indexed By Thread	Previous:	Re: firewall perimeter networks wasting addresses? From: Brent Chapman <brent @ miles . greatcircle . com>
Indexed By Thread	Next:	Re: Wanted: hackers for tiger team (new england area) From: ted . doty @ nsco . network . com