Re: help w/ network design
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 26 Jul 2007 15:07:56 -0500
On Wed, 25 Jul 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <2007072522402775249-enderwigginandrew@gmailcom>, Ender wrote:
I'm trying to design a really secure network
"The best firewall is two inches of air."
which has both wireless and ethernet and I was wondering if there is
a common standard type of network setup I should use.
Not really - it depends on what services you want to offer to who, and
what risks you are guarding against. For a "home" or small business
type of setup, see the Home-Network-mini-HOWTO and the
Networking-Overview-HOWTO from the LDP. For more details, see the Linux
Network Administrator's Guide (nag2). Depending on your distribution,
these may be installed in /usr/share/doc or similar.
I was thinking about something like this ...
Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
--> Computers
That's one possible layout
The questions I'm wondering about are ...
1) Is it common to put 2 firewalls in a network?
There's a firewall at the corporate perimeter - another at the division
perimeter - still another at the facility perimeter, and a final one
at the department level. That's four. My wife works at a different
company, and they have only a perimeter firewall with all of their
"public" servers (web, mail, DNS, etc. for use/access from the world,
AS OPPOSED TO web, mail, DNS, etc. servers meant for internal use only)
hosted by an off-site provider. Pay your money - take your pick.
I did that to put things like the access point and maybe some web
servers in between, kinda like *I think* a DMZ sort of setup
I suspect you'll see more DMZs set as a separate stub off the first
firewall such as
Internet <--> Firewall <--> internal network
^
|
v
DMZ
The firewall rules are set such that systems _in_ the DMZ can not
initiate connections to the internal net, and only certain hosts
inside can connect to the DMZ hosts for other than very limited
services. There can also be _additional_ firewalls on the internal
network - that depends on what's in there, and what you see as your
threat model.
2) Is this correct to place the Access Point between these two
firewalls?
That depends on your threat model - what are you trying to protect,
from who? Only you can answer that question.
My thinking here is that since I want all the data on my ethernet to
be secure,
From who?
then the access point should not be on the inside
Are you worried about packet sniffers? Most modern networks are
switched, and your bad guy would have to be able to subvert the switch
in order to hear anything except broadcast traffic.
and users should come through the same front door as anyone else
(along w/ the normal authentication and authorization on the wifi).
Depends on the threat model. The networks I'm most familiar with
have remote access for employees on a separate DMZ from the one
containing public servers.
Old guy
.
- Prev by Date: Re: ssh question
- Next by Date: ip tables vpn pptp and ip gre47
- Previous by thread: Re: help w/ network design
- Next by thread: Problems with NIS
- Index(es):
Relevant Pages
|
