Re: 8 Networks

[ö PaLaN ö <palan @ dataprep . com . my>]

Guilherme S Cantisano,

Are you planning to turn your Firewall box into a routing box ?? Err..I
think most of todays OS (Unix & NT) are not meant to do routing. There is
no special routing engine is comes together with these OSs. Correct me if I
got slipped here...

IMO, you shoould have a hub/switch connected to your DMZ and you can have
as many ports as you wish. You shouldn't burden the OS to do heavy routing
task.

rgds,
PaLaN

>On Tue, 12 Aug 1997, Guilherme S Cantisano wrote:
>
>> Date: Tue, 12 Aug 1997 13:16:55 -0200
>> From: Guilherme S Cantisano <guilherme @
 graphus .
 com .
 br>
>
>> I want a Firewall with 8 Network Adapter Card, anybody have a same or
>> "close" topoplogy ?
>
>Before best advice can be offered I'd suggest you think of a few wider
>issues.  Here are a few for starters: 
>
>With 8 NIC's, which are friendly and which are hostile (what policies
>apply to each network) ?
>
>Which services need to pass between which networks
>
>With the level of services and policies, are all of them really seperate
>networks ? 
>
>What bandwidth must be handled ?
>
>Just how secure should it be (how important is it that nobody from one
>network gets to another)?
>
>Why are you sure it should be one box and not a number of boxes ?
>
>Perhaps some of the networks needs another layer (or more) to protect
>them.
>
>How will you test the rules once your set it up ?
>
>More interesting, how will you test the rules when they've been changed ?
>
>What will you be logging, where too and what will you do with it ? 
>
>How will you you recognise unwelcome activity and what will you do ?
>
>......
>
>
>I'm sure many more questions can be added.  The point I'm making is that
>you need to focus on the real requirements (or perhaps I should say the
>real need) before you look for the solution.
>
>It's not hard to buy a box with 8 NIC's, or more, and quite a few
>firewalls allow you to build a rule base to support this.  The tricky bit
>is getting the architecture and the rules right and knowing is is *really*
>right and keeping it that way ;-)
>
>For example, I've recently been testing FW-1 on a Sun box with 13 NIC's
>and with the right rules it's no less (or more) secure than FW-1 with 2
>NIC's.  
>
>However, before you decide this is right for you give a good look at
>the whole subject and then look for hardware, software appropriate
>management solutions.
>
>Good luck,
>
>Dave
>--
>Dave Whitlow
>EMail: dwhitlow @
 wend .
 dircon .
 co .
 uk
>Web:   http://www.idsec.co.uk
>
>
Security Analyst
West Malaysia.
_______________________________________________
"Here is my key ... lets exchange packets now."