Results 1 to 7 of 7

Thread: Internal Firewall Suggestions please

  1. #1
    Senior Member
    Join Date
    Feb 2002

    Internal Firewall Suggestions please

    Here's the scenario. We have 20 different sites in North America. All these sites are attached to us via frame relay network. They all use our site for internet access, and their local email servers use ours as an SMTP gateway. Thats about all the access they should need. The other day I was running Ethereal on my machine, and noticed a client machine from one of our sites browsing through all my shares...very systematically....kinda like a virus propagating through shares? Anyway....

    I'd like to set up a firewall right between our internal router and LAN to prevent other sites' clients from accessing our LAN here.

    Question 1: Considering cost is an issue, what product should I use in this instance? I was leaning toward RH Linux's IPTables, but that's simply because I'm not sure of another cheap easy solution. A Stateful FW would be nice, but I might just have to settle for a packet filtering device.
    Access-Lists on the Cisco router are out since we'd have to be able to take the firewall out of production in case there are internal communication problems, and restablish communication with the WAN in minutes.

    Question 2: I'm pretty new to *nix, so I'm not sure about this question at all. In Windows, a multi-home machine needs its NICs to have IPs on two different subnets (at least I'm pretty sure of this).
    How would I set up a multi-homed (two-NIC) firewall/packet filter with both IPs needing to be the same subnet?
    Is it even possible to have the router send packets to the FW, and then have the FW forward these packets to the LAN? Would it also be possible for the LAN to use the FW as its gateway, and have the FW forward these packets to the router?

    Essentially, how does one set up an internal Firewall that needs to have both IP's on the same subnet? Maybe this is a simple concept with a simple solution.

    Router(> <--FW External(<forwarding>FW internal(><-- Internal LAN (10.10.10.x)

    Either way, any ideas would be greatly appreciated!

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Im not sure I really understood what you are after.. But this may be a solution.

    (client1) <--> (your router) <--> (firewall with dmz) <--> (intranet).

    Split the firewall in external, Intranet and dmz zone. Put all services needed for the clients in dmz. Set up the firewall with forwarding rules for needed services and applications.

    Use private adresses and nat for your internal network.

    If you need to have services on your dmz to access internal services (like db or mailserver) use dmz-pinholes, not to recomend but a better option then leave open.

    Cheap solutions may be Linux dists like


    If I should choose solution from these alternatives would I go for Securepoint but that's my personal opinion and there are other alternatives aswell.

    If you need further help and dont understand what I mean. Please check out these sites first (they have good help) and as last resort write me an e-mail and I will try to help you.

    And sorry if I missunderstood what you are looking for .


  3. #3
    Senior Member
    Join Date
    Feb 2002
    Hey thanks for the reply. Securepoint looks pretty nice. I'll check it out.

    I guess I didn't explain my situation properly. I'd like to seperate our LAN from the rest of the WAN with a firewall. All of the resources needed by the rest of our WAN are already sitting on our LAN. I'd like to set up the firewall behind our WAN router to allow access only to the services that the rest of our WAN needs (email/internet via our proxy server).

    Setting up a DMZ would of course be ideal, but unfortunately all of our servers are in place, and moving them around (changing IP's and such) would be too much of an undertaking, and would be strongly resisted. Not to mention that if communication problems occur, it would take too much time to "restore" things back to the way they were by removing the firewall.

    Let me try to explain our environment here a little better.

    We have two ways out of our LAN. One is through our firewall and out to the internet. The other is through our internal router, and leads out to our WAN.

    Essentailly, all our WAN clients can come in and out of our internal router as they see fit, and are only restricted by NT permissions. All our servers and such are on our LAN, and our WAN clients have access to these and everything else. I'd like to set the FW up on our LAN right before the internal router to filter traffic.
    The router's ethernet, both interfaces on the firewall, and our LAN (LAN includes servers that need to be accessed) need to be all on the same subnet.
    Our LAN will then use the FW's internal interface as its gateway, and then the FW will forward all this traffic to the router, and the router out to the WAN. All inbound WAN traffic will go through the router, into the firewall, and forwarded to the appropriate destination.

    I'd like to know if there would be any routing problems with having a multi-homed machine with both IPs on the same subnet. I know I'd probably have build the routing table manually, but that's fine with me.

    In this scenario NAT would have no place, as all LAN traffic does not need to be translated.

    I hope this clarfies things a little better.

    I know this is kind of long-winded, but thanks for taking the time to read it.
    And thanks for any replies!

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Hi Sgt,

    If you dont mind my asking, what type of firewall do you use to firewall your internet connection?

    Just a thought, from what I can gather, you have a router residing between your LAN and your WAN. Is it feasible for you to set up access lists on this router? I know that setting up a packet filtering device as opposed to a stateful inspection Firewall is not the preferred solution, but it should give so protection to some degree until you can plan and set up your firewall.

    Down the track, you could use this router with access lists (and possibly NATting) as well as a Stateful inspection firewall for a "defence in depth" approach.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  5. #5
    Junior Member
    Join Date
    Sep 2002
    My view is that you’re addressing the wrong issue. By placing a firewall into your internal network you are now just adding more complexity and cost to what should be a private and secure network. You should understand who was scanning your PC, review your security and appropriate use guidelines and address the user if the scanning was intentional. If the scanning was due to a virus or other malicious activity you’ll need to fix that PC.

    Although by placing a firewall between your central site you’ll protect client PCs at your hub site. The rest of your network would still be exposed to this activity, which would appear to be a security risk to other of your firms workstations at the 19 or so sites.

    What may be of use is an internal IDS setup to report this activity if it continues. My views are based on opeating a network of 200 plus sites in 60 countries with multiple data centers and interconnected business units.

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Thanks for the reply! We use Checkpoint's FW-1 for our internet side firewall.
    I know setting up access-lists on the router would be the easiest way to approach things, and get a packet filter up and running, but we'd need to be able to tear it down quickly and go back to no firewall should problems occur. Like you said, stateful inspection would be preferable, but you gotta use what you can!
    Thanks for he reply!


    By placing a firewall into your internal network you are now just adding more complexity and cost to what should be a private and secure network.
    I know, it should be private and secure, but our setup leaves much to be desired. Every site on our WAN is actually a seperate company, and is very loosely bound to the rules and regulations of our central IT department. Example, today we had to fight tooth and nail to prevent one of our sites from installing a DSL connection, and hosting a webserver right on their application server. I don't need to mention the security issues with this! This is just one example mind you, and I'm sure there are more things going on that we don't even hear about.

    Implementing a decent security policy is not in managements priority, so I have to do what I have to do to protect the integrity of our LAN. Our WAN is setup in a "Star" formation, with our site acting as a hub for all other sites. If an internal FW could be setup here, then the integrity of our entire WAN (not just the hub LAN) could be protected if one site was compromised.
    An IDS sounds like something I'd like to set up later to supplement the FW should we ever get it in place. While an IDS would work to alert me to all the bad traffic, I'd much prefer to block it before it gets in. I'd still like to put in an IDS there though for the mean time.
    Its a good idea, Thanks for the help!

    PS - I'd love to work for a company where a security policy actually meant something!!!

  7. #7
    Senior Member
    Join Date
    Jan 2002
    thom has a good point, but I suppose that it depends on whether the 20 sites making up your WAN are considered trusted or not? I mean, I can scan any of our hundreds of machines, map drives etc on any workstation/server.

    Another option could be a centralised personal firewall solution, that could install personal firewall rulesets on any/all machines. This solution has a centralised Management console with pre-defined rulesets (ie. workstations have a basic ruleset, important servers on the internal network can have a more tight ruleset). From what I gather, it is reasonably easy to set up and manage.

    Or you could put some hardening on workstations and servers making it more difficult for users to break into.

    But then again, as thom has said, this is a solution to a problem. Maybe writing up a security policy and educating your users may be the best approach...

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts