Firewalls: Re: Firewalls Digest V3 #344

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls Digest V3 #344
From:	andys @ unipalm . co . uk (Andy Smith)
Date:	Fri, 7 Oct 94 08:57:56 BST
To:	Firewalls @ GreatCircle . COM

> ------------------------------
> 
> From: woycke @
 mitre .
 org (Daniel W. Woycke)
> Date: Thu, 6 Oct 1994 08:50:59 -0400
> Subject: Re: firewall perimeter networks wasting addresses?
> 
> At  9:41 AM 10/5/94 -0600, Brent McClure wrote:
> >In reviewing the notes from a workshop on firewalls I found a specific
> >description of an "ideal" firewall setup that involves setting up
> >a perimeter network that has its own class C address.  The statement was
> >made that it is "easy to get another class C address from the NIC for
> >your perimeter net".
> >
> >I have been informed by our internet provider that he's not that thrilled
> >to give up one of the addresses from his block for this purpose, and I
> >suspect that the NIC isn't glad to see more addresses gobbled up in this way.
> >Yes, I know there are millions left, but at one point we probably thought there
> >were though class B addresses too.
> >
> >Since it appears that a single dual-homed host as a firewall has limitations,
> >then isn't there a solution using a perimeter network that can be implemented
> >where the perimeter network is simply a subnet of your current address rather
> >than having to ask for another address?
> >
> >thanks, Brent

One of the methods that I use when building firewalls, is for the client to get one
officially registered class C address, which is used for the public side of the 
firewall, including web servers and router, and then use illegal class B and C network
numbers internally. This can be done, as the Firewall totally isolates the internal
numbers from the Internet. Rather than wasting an extra class C address, this saves
on addresses. I have at least 2 customers that would have had to register for class
B addresses and renumber their whole internal networks if we had not have done this.

All you need to do is use one of the special network numbers that has been set aside 
for testing internally, and use your registered class C for the external network.

Andy

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Andy Smith
Internet Security Specialist
Unipalm Consulting

Follow-Ups:

Re: Firewalls Digest V3 #344
From: mch @ sqwest . bc . ca (Mark C. Henderson)
Re: Firewalls Digest V3 #344
From: jimc @ e-Commerce . Com (Jim Carroll)

Indexed By Date	Previous:	3Com NetBuilder II From: "Richard P. Kernin" <RPK @ VAX . NIAGARA . EDU>
Indexed By Date	Next:	Re: syslogd risk From: Goran Svensson <goran @ btj . se>
Indexed By Thread	Previous:	3Com NetBuilder II From: "Richard P. Kernin" <RPK @ VAX . NIAGARA . EDU>
Indexed By Thread	Next:	Re: Firewalls Digest V3 #344 From: jimc @ e-Commerce . Com (Jim Carroll)