I have an interesting problem. I have a new network (actually, a new
service, but we'll leave out the "proprietary" details) going in which
much necessarily be connected to both my main data network and the
"outside" world, including both our customers and the "untamed"
Here's a quick idea of how things go together:
| | "network entities"
| | Service Complex outside:
------ ------ ------ ------ /
| |-----| |-----| |-----| |<
------ ------ ------ ------ \
"Main" Cisco TIS Cisco --Customer
data router Gauntlet router
I need TCP (telnet and X) and UDP (SNMP) access from the "Main" network
to the service complex for management purposes. I must also pass both
TCP and UDP (all ports) between the "outside" and the "network entities"
(NEs, for short). The service complex acts as a transparent bridge for
the IP addresses associated with the NEs. The IP addresses of the NEs
(which have public Class C networks dedicated to them which differ from
the rest of the internal net) are the only ones which will be accessible
from the outside world (hence the only advertised routes), but as stated
it must appear as if they are "directly" on the Internet or the
customer's network. Security of the NEs themselves is of no concern,
but security of the Service complex and the "Main" data network is of
extreme concern. The customers are responsible for their own security,
although we will not be routing packets between them and the Internet.
We currently have a TIS Gauntlet (v3.2a) system available for use in
this application, but I'm stumped as to how to get it to "disappear"
with respect to this certain range of addresses. For all intents and
purposes, when faced with a source (when outgoing) or destination (when
incoming) address in the range dedicated to the NEs, I want it to act
like a router.
At first, no other traffic will pass through the Gauntlet, although
perhaps in the near future there will be certain authenticated traffic
allowed to the Service complex itself, as well as possible traffic
between the "Main" network and the Internet. These, of course, can be
achieved using "normal, everyday" proxies and authentication.
I'm required to use an application gateway-type system here by company
policy, with which I agree. While this restricted connectivity could be
achieved via an access list in a router, that is not considered secure
enough. We need the logging and "failsafes" of a real firewall.
Any suggestions of how to do with with the Gauntlet would be much
appreciated. Although I'd prefer to use the TIS product, other ideas
are also welcome. BTW, our corporate IS folks [ the ones who will audit
this once I get it done ;) ] aren't big fans of the PIX firewalls.