> Gateway Box
> |
> |
> Firewall Box
> |
> |
> LAN Router
> / | \
> / | \
> / | \
> Node 1 Node 2 Node 3
>
This picture is correct, a 'firewall' is sitting between the Big Bad Internet and
your LAN. The 'LAN Router' would be missing at small sites.
This design has its drawbacks if any of 'Node 1..3' has to be accessible from the
Internet. Say if Node 1 receives e-mail it can be vulnerable to breakins. Anyone
breaking into this machine can then use it as a stepping stone to attack the rest
of your network. You may want to place some hosts on the Internet side of the
firewall to prevent that from happening. If your Internet gateway has a static
packet filtering capability you can further limit your vulnerability by
implementing a screened subnet.
.------------. .------------.
Internet | | | |
----------| Gateway |--+----| Firewall |-----+----------+-- . . . .----+
| | | | (Linux) | | | |
'------------' | '------------' | | |
| | | |
.-------. .---------. .--------. .---------.
| | | | | | | |
| Mail | | File | | User | | User |
| Host | | Server | | PC | | PC |
| | | | | | | |
'-------' '---------' '--------' '---------'
I left out your router as it's irrelevant to the discussion. If you put a couple
of network cards in the firewall host it can double as a router too. I'm doing
just that at the moment, we're running a gateway system with a dynamic packet
filter (a MorningStar SecureConnect) and a Linux box acts as a router and static
packet filter. We also run the TIS firewall toolkit on the Linux box to allow
limited inbound access, though I prefer SSH for that purpose.
Ge'
|
|
