[LARTC] Beginner

[LARTC] Beginner

[Jean Dee]

hi,
I had a mail from a student in a local school(W/Africa) who needed help on a firewall project in this flow

#Lan--Internal Firewall--- External firewall -- Internet
                        | 
                        |
                   webserver 

he has completed the External firewall using squid and iptable(NAT)
What tools and how should he go about the Internal Firewall provide documentations if possible.
Thank you in advance 
regards

-- 
jdee



__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Beginner

[ewan]

> #Lan--Internal Firewall--- External firewall -- Internet
>                         |
>                         |
>                    webserver


what purpose does the internal firewall serve? just plug everything into one
firewall and write rules accordingly

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Beginner

[Alex Bennee]

ewan said:
>
>> #Lan--Internal Firewall--- External firewall -- Internet
>>                         |
>>                         |
>>                    webserver
>
>
> what purpose does the internal firewall serve? just plug everything
> into one firewall and write rules accordingly

There is nothing wrong with having multiple layers of firewalls. It means
your haxor has several layers of security to beat - security through depth.

But you can just use iptables on your internal firewall as well. No point
learning new semantics :-)

Alex
www.bennee.com/~alex/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Beginner

[Rens Houben]

[-- Attachment #1: Type: text/plain, Size: 1459 bytes --]

On Thu, 2002-05-23 at 12:58, Alex Bennee wrote:
> ewan said:
> >
> >> #Lan--Internal Firewall--- External firewall -- Internet
> >>                         |
> >>                         |
> >>                    webserver
> >
> >
> > what purpose does the internal firewall serve? just plug everything
> > into one firewall and write rules accordingly

> There is nothing wrong with having multiple layers of firewalls. It means
> your haxor has several layers of security to beat - security through depth.
More to the point, you can tell the inner firewall to do masquerading,
while the outer wall does filter-only, so your office LAN is safe where
the haxor can't even touch it until and unless he compromises the inner
firewall (which you can hammer shut to Fort Knoxian levels without
compromising accessibility) while the webserver (and maybe other servers
as well as the need arises) are in the perimeter -- not as well
defended, but accessible from the outside. 

> But you can just use iptables on your internal firewall as well. No point
> learning new semantics :-)
Other than the fact that it's fun. :)

> Alex
> www.bennee.com/~alex/

-- 
Rens Houben                           |    opinions are mine
Resident linux guru and sysadmin      | if my employers have one
Systemec Internet Services.           |they'll tell you themselves
PGP public key at http://suzaku.systemec.nl/shadur.key.asc  -- new Dec
12 2001

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

RE: [LARTC] Beginner

[Greg Scott]

Why not just do a topology like this:

LAN--------------Firewall
                       |
                       |
DMZ with webserver-----+

The perimeter network approach with 2 firewalls seems
much too complex for little if any benefit.

- Greg


-----Original Message-----
From: Rens Houben [mailto:shadur@systemec.nl]
Sent: Thursday, May 23, 2002 6:11 AM
To: alex@bennee.com
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Beginner


On Thu, 2002-05-23 at 12:58, Alex Bennee wrote:
> ewan said:
> >
> >> #Lan--Internal Firewall--- External firewall -- Internet
> >>                         |
> >>                         |
> >>                    webserver
> >
> >
> > what purpose does the internal firewall serve? just plug everything
> > into one firewall and write rules accordingly

> There is nothing wrong with having multiple layers of firewalls. It means
> your haxor has several layers of security to beat - security through depth.
More to the point, you can tell the inner firewall to do masquerading,
while the outer wall does filter-only, so your office LAN is safe where
the haxor can't even touch it until and unless he compromises the inner
firewall (which you can hammer shut to Fort Knoxian levels without
compromising accessibility) while the webserver (and maybe other servers
as well as the need arises) are in the perimeter -- not as well
defended, but accessible from the outside. 

> But you can just use iptables on your internal firewall as well. No point
> learning new semantics :-)
Other than the fact that it's fun. :)

> Alex
> www.bennee.com/~alex/

-- 
Rens Houben                           |    opinions are mine
Resident linux guru and sysadmin      | if my employers have one
Systemec Internet Services.           |they'll tell you themselves
PGP public key at http://suzaku.systemec.nl/shadur.key.asc  -- new Dec
12 2001
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/