June 30th, 2006, 12:29 AM
good firewall configuration
I have limited money resources,and i have 2 diferent internet connections, is there a firewall where i can plug these 2 connections and make them pass trough here? or i must buy 2 firewalls?
I have to connect another office trough a VPN , and i was thinking on buying another internet connection just for that purpose, with 2 simple firewall (one on each point) with VPN encrypted. what you think about this solution.
with this senario i would have in one of the office 3 internet connections(2 for internet and 1 for VPN), and the other office with 2 internetconnections (1 for the VPN and the other to the internet), but my big question is, can i firewall support 2 diferent internet connections? and if not is there a way to make it support? Such using linux gateways to forward everthing to the firewall and then filtring, would this be a good solution?
June 30th, 2006, 05:15 AM
i dont understand why you need two connection unless its for fail over. if its broad band a third is real overkill, maybe i dont really understand what your saying i just got home from work and im whooped. you can pick up a soho 6 from watchguard for a couple hundred and make a few vpn tunnels. one at each end would serve your purpose well. only traffic going to the remote network goes threw the tunnel. all your internet traffic (not aimed at the remote network) goes directly out to where you want at both ends unless you want it proxied at your location.
their x-15 edge comes with 2 wan ports for fail over or you can get an option for an additional network
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
June 30th, 2006, 09:56 AM
i have 2 diferent connections because 1 is for the users to use internet, the second connection is for services, such email, www, access remote...etc . The third connection was to create a privet network and it would connect directly to the other office, and the broadband is only used for it. Thats why i was thinking on a 3 connection
June 30th, 2006, 12:49 PM
Having two connections as you do is more secure. If you put both of them behind the same firewall though, you have removed the additional security.
I would suggest ditching one of the internet connections, and buying two firewalls. The between the firewalls put the services in a DMZ, and put everything else behind the second firewall. Also, you shouldn't need another connection for VPN traffic unless bandwidth is an issue. In essence you would have
Router <---> Firewall <---> DMZ <---> Firewall <---> Other machines
June 30th, 2006, 04:05 PM
July 1st, 2006, 12:25 AM
Sure there are firewalls with 4 interfaces, but my question is how you intend to address your routing issue? With two internet connections you are talking two default routes and two different ISP assigned IP spaces.
The poor-mans solution is to put your users behind one firewall, your servers behind another (each with NAT/routing appropriate for the ISP they connect to) and cross connect the two firewalls together with a couple of routes to each others networks. Im not suggesting this is the best way, just an option.
The most common way to implement multiple ISPs is to get your own IANA assigned IP space and exchange BGP with your ISPs. That and use of QoS on your traffic if you comingle user browsing and business critical traffic.
July 1st, 2006, 01:21 AM
i see. i think the best solution would be to buy 2 firewalls.
im sadly to say that i have low resources, my boss says it can't spend much(Don't they all say that?).
i had 1 solution but it was rejected because its expensive. my vision off a secure network would be 2 CheckPoints one on each office connetect by a VPN changing encript key every 40sec.
2 sonicwall for each other internet connections, and using sniffer behind the firewall.
But i can't do this because its expensive, and my boss is a cheep , this drives me mad, they want solutions but don't want to spend any money.
My ISP proposed me a point to point connection to the office and my services behind there firewall. This is at mid term a cheaper solution, but not very secure, because the ISP technicians can monitor all of my connections, because they don't support encypted connections.
I guess the best solution would be to buy the firewall, and use a VPN Agent to connect to the office
July 4th, 2006, 04:11 AM
Why not just use one of the Multi WAN Port Sonicwalls to connect both connections. They have on e model (Pro 3020 I think) that can support up to 4 WAN ports, with a DMZ and LAN connection (6 total ports). You could use one of these to provide internet to the LAN and use one of the free WAN ports to run the VPN tunnel. Then all you need is a back firewall (you could use a Checkpoint, ISA, another Sonicwall, or even ipchains since your boss is cheap ^.^)
You could even do some really cool egress filtering on the back firewall, like using Smoothwall with the SmoothGuardian module, which is not that expensive and works well.
Windows 9x: n.
A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.