Andy Smith writes:
> One of the methods that I use when building firewalls, is for the client to get one
> officially registered class C address, which is used for the public side of the
> firewall, including web servers and router, and then use illegal class B and C network
> numbers internally. This can be done, as the Firewall totally isolates the internal
> numbers from the Internet.
This could burn you.
The firewall doesn't *totally* isolate the network. If you give the
internal network, say, 13.*.*.*, then you can rest assured that if the
firewall has to send a packet to 13.*.*.*, it'll attempt to send it to
the internal network, even if a legitimate owner of 13.*.*.* exists on
the Internet, and even if the user really wanted to connect (via SMTP
or otherwise) from the bastion to the legitimate owner.
One of our clients made the mistake of setting up their private
network with the IP network that the sysadmin chose, and he chose the
same one as his former employer, which is a major vendor. When they
decided they wanted to connect to the Internet, I pointed out this
awkward problem.
Ways around this:
1. Give your clients a network based on RFC 1597. Within this RFC is
a list of network numbers which anybody can freely use, with
limitations. Check it out.
2. Set up 2 bastion hosts. Perhaps more grief, but what's worse,
setting up and administering 2 bastion hosts, or renumbering the network?
3. Check out that one commercial product which has been flogged here a
number of times: Janus. I believe the authors of this product claim
to address this issue.
--
Jim Carroll -- jimc @
e-Commerce .
Com
e-Commerce, Inc., 1030 Kamato Road, Suite 201
Mississauga, Ontario, Canada L4W 4B6
Tel: +1 905 602 0863 Fax: +1 905 602 8402
References:
|
|
