A couple of suggestions. First, if you have not already bought the
Cisco 2509, consider the Cisco PIX. It is not too expensive for small
companies in the 256 port variety. Beware, however, that Netscape uses
about ~6 ports per user surfer, and IE uses ~8. The PIX is designed
for NAT. It works REAL GOOOOD! That is a 2-edged sword, which can
keep the good guys out, along with the baddies.
Next, setup duplicate servers, one outside and one inside. Configure
the PIX to only allow calls through from inside, and from the matching
machine (inside mail to outside mail, etc.). Use cron to initiate the
connection every 'n' minutes, where you determine 'n' based on users
needs. The 'n' for 'www' should be larger than the 'n' for mailhost.
The fetch for mail occurs during the connection originated from inside!
Same for news, ...
Setup one of your DMZ machines to do passive monitoring, with the login
and sulog files going to a printer. If it is a locked room (I maybe
paranoid), it is really hard to hack. Your inside server can drop-ship
the configuration files daily, again from inside-to-outside.
You cannot keep the best crackers out of the inside, but this will sure
slow down those not quite that good. You will need to scan for viruses,
and other stuff, too. This does not keep salesmen from coming by with
small floppies, and handing out neat games (read trojan horse) which
scans your network from the inside and then sends the results outside.
Your inside folks don't care, as they access only the inside machines.
The outside ones can be had, but only the data file areas are checked,
then brought inside. The OS files can be downloaded every (night, week,
month, ...) to protect the DMZ machines.
> From saeed @
pk Thu Feb 26 02:38:55 1998
> Date: Wed, 25 Feb 1998 15:45:35 +0500
> From: saeed @
pk (saeed abubakar)
> MIME-Version: 1.0
> To: "'firewalls @
com'" <firewalls @
> Subject: NAT question
> X-Priority: 3 (Normal)
> Content-Transfer-Encoding: 7bit
> We will be implementing NAT for our Intranet using CISCO 2509,
> The question I have for all you Guru's is, I have an Oracle Server
> (running ever thing on NT) and a Lotus Notes (again NT) server
> accessible to the outside world will implementation of NAT affect their,
> approachability from the outside world and for people on the inside.
> I hope my question is comprehended by all.
> Saeed Abubakar
> Sr. System Engineer
> Network Operations
> Cyber Internet Services (Pvt) Ltd.
> e-mail :- saeed @
> web :- http://www.cyber.net.pk
> Telephone :- (92 21) 111445566 Ext. 232/201
> Fax :- 92 21 5686745
At least that's one thought. OK, cats-and-jammers, how about some others?
BTW, you still need an access router and a choke router. Maybe that 2509
can be used there.
Bob De Witt,
The views expressed herein are my own,
and are not attributable to any other
source, be it employer, friend or foe.