I need to access machines being protected by a firewall via a backend
network for administrative/monitoring purposes. The firewall solutions are
Raptor & Check Point. I need to determine how licensing is tracked on these
firewalls (IP address, MAC address, etc.).
The problem:
1-The backend network used for maintenance connects to every machine in
the web farm. Thus, every ARPed IP address will hit the firewall causing
the firewall to believe it is protecting more than the alloted licensed
amount.
2-If I use solution A (the prefered method) I maintain a DMZ which will
allow me to keep only one backend network for all machines in the farm
without the concerns of a "backdoor" into the protected machines.
However, this solution does not solve the ARP problem unless I relpace the
switch with a router for every firewall in the farm.
3-If I use solution B I will need to seperatethe backend network into
"protected" & "unprotected" machines via a router which reduces the
number of routers needed. However, this causes me some concern about the
"backdoor" issue if a router is comprimised (I would probably just set up a
second backend network). This also does not solve the ARP problem for
the machines on the "protected" network.
4-Solution C, with IP forwarding turned on on the "protected" machines,
offers the same concerns as solution B. With IP forwarding turned off on
the "protected" machines, there is no way to backup the firewalls
(except putting a floppy into each firewall).
5-(This is the solution I'm currently implementing) Go with solution A and
put the "DMZ" interface of each firewall on a seperate 10.x.x.x subnet,
thus eliminating the ARP problem. This however, creates an
administrative nightmare for the number of machines I'm talking about here.
Internet
|
|
Router
|
| (A)
Firewall-------------------switch---------Backend Network (Backups &
maintenance) several IP's
|
| (B)
Hub----------------------switch---------Backend Network (Backups &
maintenance) several IP's
|
|
------------
| |
| |
| |
www Database
| |
| |
------------
|
| (C)
Hub---------------------switch----------Backend Network (Backups &
maintenance) Several IP's
I apologize for the long winded discertation, but I wanted you to have all
the options I considered. I'm open for suggestions at this point. I think I
could use a fresh approach.
Thanks in advance.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|Andre' L. Mintz |
|DIGEX Security Services |
|Director, Security Products Operations |
|DIGEX, Inc. |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|almintz @
digex .
net | E-mail |
|301-847-5953 | Office |
|301-847-6215 | Fax |
|888-688-7995 | Pager |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|DIGEX Security Services Customer Support |
|301-847-5008 |
|fire @
digex .
net |
|http://support.dss.digex.net |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|
|
