Results 1 to 6 of 6

Thread: How can I improve this setup?

  1. #1

    How can I improve this setup?

    Okay, I was debating on posting this in the Newbie forums, but I'm not a newbie, and it's not really a newbie question, so here goes. I currently have a Cisco 2600 to my ISP with no ACLs. Behind that, I have essentially two firewalls. Both external interfaces have public IPs, and the internal interfaces are private IPs on the same network (ie, 192.168.0.0). Behind the one firewall, I have my web and DNS. Behind the other, I have all of my clients. Physically, everything with a public IP (every interface) is plugged into one switch, and every interface with a private IP is plugged into seperate switches, including my clients.

    I realize that this is a bit convoluted, and it would be much easier to implement a DMZ in just one of the firewalls. The reasoning behind this setup (what little there was) had more to do with getting things done quickly and easily. I'm now hosting a huge number of web sites and critical apps, and can't just turn everything off and start over.

    My primary question is, what would the benefit, if any, be of assigning different IPs to my web, DNS, and mail servers, along with the internal interface of the firewall that they go out through? This would, in essence, create a DMZ, but I'm curious what the real benefits would be. Thanks in advance for any advice, and I'll be glad to give more information where it's needed.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I'm not fully sure what you mean by asking about assigning it different IPs. Are you talking about just using a different set of internal IPs, or giving them external?

    I see no flaws in your setup. Having two firewalls allows you to specify rules for your servers without jeopardizing your workstations. You can do this with one firewall, but mistakes happen that leave you open.

  3. #3
    Originally posted here by zENGER
    I'm not fully sure what you mean by asking about assigning it different IPs. Are you talking about just using a different set of internal IPs, or giving them external?

    I see no flaws in your setup. Having two firewalls allows you to specify rules for your servers without jeopardizing your workstations. You can do this with one firewall, but mistakes happen that leave you open.
    I meant assigning different private IPs to the servers providing external services. The external interface on the firewall behind which these servers reside would maintain it's IP assignment(s). But the internal interface and servers behind that interface would get a new private IP assignment. For example, the way it is now, all of my servers and clients are on the same private network (ie 192.168.0.0). In the new setup, the servers might be 192.168.1.0 and the clients would stay 192.168.0.0. They are still on the same physical network, though. So I'm not sure if I'm actually going to be gaining anything by changing IPs. That's the crux of my question. Also, I'm open to other suggestions if there are any.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Are you saying that all of your internal stuff is plugged into the same switch, or are there two switches involved here on the internal side? If they're all on the same switch, then they are on the same network, and you can get to any of the systems through either of the firewalls (rules permitting).

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    In the setup you have you are actually one better than a DMZ really. They are two separate networks whereas a DMZ is, for all intents and purposes, a single network split into two.

    I'd leave it as it is unless you have specific management issues assuming of course that the web servers etc. are publicly addressed and therefore pluggind into the different switch than the private network. If they aren't then the two firewalls are not doing the job you expected/intended.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    The major benefit to changing a single subnet to a multiple subnet is, in your situation .... Job Security!
    You will be working a bit more (Ka-ching!) to make the transition seamless, to troubleshoot it when miscommunication problems occur, and to make changes when your boss requires. It will also be slightly more cryptic unless you fully document your network (as you should do).

    Remember some reasons for subnetting: (not in order or completeness)
    1) To segregate or group internal hosts based on activity, location, or security. (etc..)
    2) To allow for expanding IP device population and subsequent shrinking base of IP addresses.
    3) To allow for rapid employee growth.
    3) To better manage assets and their logical network communication
    4) To help manage bandwidth issues.
    5) To help manage road warriors and their needs.

    Is any of the 5 reasons above a good indication of why you might want to subnet?

    After answering that question, ask yourself, are you experiencing any pains with the way things are, and might become in 3-4 years? Is anyone else complaining of poor performance or lack of being able to do something? Do you see a reason why you should change it?
    Why fix what isn't broke, if it isn't broke.

    Having a device on a DMZ means there will be hack attempts and the associated pains if that DMZ is compromised. Typically I reserve DMZ's for my troubleshooting notebook and only I plug into it. A compromised DMZ is nobody's picnic, Of course, that's still more job security.

    I say if the design is not picture perfect but works well under load, keep it simple.

    Just my thoughts.
    ZT3000
    Beta tester of "0"s and "1"s"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •