Re: Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
- From: Andrew Gideon <c182driver1@xxxxxxxxxx>
- Date: Mon, 20 Mar 2006 10:29:43 -0500
On Mon, 20 Mar 2006 09:06:40 -0500, J S wrote:
Just some random musings on your idea:
will I make that network that uses these
IP's the DMZ?
That may be the easiest way to go. You can define another network, in
private IP space (RFC1918), for your internal network. Your router can
NAT the traffic you want to permit out from your internal network to the
Internet to the IP on your router's external interface.
The same router can route from that internal network to the DMZ (w/o NAT).
If 10 addresses is enough for the machines in your DMZ, I don't think it
needs to be any more complex than that. If you need more machines, then
you might want to reverse-NAT from the Internet to the DMZ (ie. perhaps
mapping port 25 on external IP A to port 25 on DMZ IP Z while port 80 on
external IP A is mapped to port 80 on DMZ IP Y). But if you can avoid
that complexity, I'd recommend it.
So your router will have three IPs: the external IP (which I'm assuming is
not a part of that 10, but is instead in some /30 your ISP has allocated
for the link), a DMZ IP (in that range of 10), and a private IP (facing
your internal network).
A limiting factor is the VOIP gear. I *think* these can work behind NAT,
but I'm not sure. Another limiting factor is the performance of the
router. Can it handle all the traffic plus NATing (w/o latency that'll
hurt an application like VOIP)?
We used to use a 2600 class router, and we reached its limit (it's
currently sitting in a supply room {8^). But, if I recall correctly, it
was a memory limit that we hit more than anything else. We'd a large
configuration as it was routing between multiple VLANs.
One additional point: Don't put your proxy server in the DMZ. It doesn't
need to be there, as far as I can see, as it isn't responding to external
requests. Put it in your internal network, and configure the NAT (and
filters) such that only response packets from the outside world can reach
it.
Don't put anything in the less secure DMZ unless it really needs to be
there.
You could get fancy, and have the proxy server (and anything else that
needs to talk to the outside world) on one private network and
everything else in another. But I'm not sure how much you gain by that.
And then you need to worry about routing between those additional networks.
Another thing that can be done is create multiple DMZs: a web DMZ, a DNS
DMZ, etc. This permits different firewall logics for each. But you can
just filter on a per-host basis given the size of your DMZ (as I
understand it).
One advantage of the multiple DMZs, though, is that a break-in to your
mail servers (for example) doesn't impact the security of your DNS
servers (for example). But it means additional routing and additional
network complexity.
Finally, don't get too hung up on the static IP idea. There's no
difference between static IPs and dynamic except for the fact that the
static IPs don't change (or at least not as often {8^). Having dynamic
addresses granted by an ISP doesn't give you any additional security, for
example; you still need to limit ingress and egress to avoid all the usual
hazards.
- Andrew
.
- Follow-Ups:
- Re: Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
- From: Raqueeb Hassan
- Re: Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
- References:
- Prev by Date: Re: WiFi under Linux - rant no 7
- Next by Date: Re: WiFi under Linux - rant no 7
- Previous by thread: Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
- Next by thread: Re: Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...
- Index(es):
Relevant Pages
|
