Results 1 to 8 of 8

Thread: good firewall configuration

  1. #1
    Senior Member
    Join Date
    Apr 2005
    Posts
    123

    good firewall configuration

    I have limited money resources,and i have 2 diferent internet connections, is there a firewall where i can plug these 2 connections and make them pass trough here? or i must buy 2 firewalls?

    I have to connect another office trough a VPN , and i was thinking on buying another internet connection just for that purpose, with 2 simple firewall (one on each point) with VPN encrypted. what you think about this solution.


    with this senario i would have in one of the office 3 internet connections(2 for internet and 1 for VPN), and the other office with 2 internetconnections (1 for the VPN and the other to the internet), but my big question is, can i firewall support 2 diferent internet connections? and if not is there a way to make it support? Such using linux gateways to forward everthing to the firewall and then filtring, would this be a good solution?

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    i dont understand why you need two connection unless its for fail over. if its broad band a third is real overkill, maybe i dont really understand what your saying i just got home from work and im whooped. you can pick up a soho 6 from watchguard for a couple hundred and make a few vpn tunnels. one at each end would serve your purpose well. only traffic going to the remote network goes threw the tunnel. all your internet traffic (not aimed at the remote network) goes directly out to where you want at both ends unless you want it proxied at your location.

    their x-15 edge comes with 2 wan ports for fail over or you can get an option for an additional network
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member
    Join Date
    Apr 2005
    Posts
    123
    i have 2 diferent connections because 1 is for the users to use internet, the second connection is for services, such email, www, access remote...etc . The third connection was to create a privet network and it would connect directly to the other office, and the broadband is only used for it. Thats why i was thinking on a 3 connection

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Having two connections as you do is more secure. If you put both of them behind the same firewall though, you have removed the additional security.

    I would suggest ditching one of the internet connections, and buying two firewalls. The between the firewalls put the services in a DMZ, and put everything else behind the second firewall. Also, you shouldn't need another connection for VPN traffic unless bandwidth is an issue. In essence you would have

    Router <---> Firewall <---> DMZ <---> Firewall <---> Other machines

  5. #5
    Senior Member
    Join Date
    Apr 2005
    Posts
    123
    yes broadband is an issue that's why i need another connection just for VPN.
    My current configuration is like this

    Router --> Linux Firewall--->DMZ (this is a Point to Point connection, used for the services)

    Router --> Linux Firewall --> Network (ADSL)

    and both networks are connected by switch behind the firewalls. Im thinking on buying a SonicWall firewall, or maybe 2 for each connection, but they are a bit expensive .

    With the third connection it would be

    Office 1 --> Firewall --->Router--> VPN --->Router--> Firewall---> Office 2

    or another solution is to do an upgrade on the Broadband to the Point to Point connection, using a SonicWall such 4010 Pro and it would be something like this:

    Office 1 --> Router --> SonicWall VPN Agent ---> Router ---> Firewall(Sonicwall) --> Office2
    doing this i would only need to buy a firewall, using of course a Point to Point Connection to make more secure.

  6. #6
    Junior Member
    Join Date
    Jun 2006
    Posts
    10
    Sure there are firewalls with 4 interfaces, but my question is how you intend to address your routing issue? With two internet connections you are talking two default routes and two different ISP assigned IP spaces.

    The poor-mans solution is to put your users behind one firewall, your servers behind another (each with NAT/routing appropriate for the ISP they connect to) and cross connect the two firewalls together with a couple of routes to each others networks. Im not suggesting this is the best way, just an option.

    The most common way to implement multiple ISPs is to get your own IANA assigned IP space and exchange BGP with your ISPs. That and use of QoS on your traffic if you comingle user browsing and business critical traffic.

  7. #7
    Senior Member
    Join Date
    Apr 2005
    Posts
    123
    i see. i think the best solution would be to buy 2 firewalls.

    im sadly to say that i have low resources, my boss says it can't spend much(Don't they all say that?).

    i had 1 solution but it was rejected because its expensive. my vision off a secure network would be 2 CheckPoints one on each office connetect by a VPN changing encript key every 40sec.

    2 sonicwall for each other internet connections, and using sniffer behind the firewall.

    But i can't do this because its expensive, and my boss is a cheep , this drives me mad, they want solutions but don't want to spend any money.

    My ISP proposed me a point to point connection to the office and my services behind there firewall. This is at mid term a cheaper solution, but not very secure, because the ISP technicians can monitor all of my connections, because they don't support encypted connections.

    I guess the best solution would be to buy the firewall, and use a VPN Agent to connect to the office

  8. #8
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Why not just use one of the Multi WAN Port Sonicwalls to connect both connections. They have on e model (Pro 3020 I think) that can support up to 4 WAN ports, with a DMZ and LAN connection (6 total ports). You could use one of these to provide internet to the LAN and use one of the free WAN ports to run the VPN tunnel. Then all you need is a back firewall (you could use a Checkpoint, ISA, another Sonicwall, or even ipchains since your boss is cheap ^.^)

    You could even do some really cool egress filtering on the back firewall, like using Smoothwall with the SmoothGuardian module, which is not that expensive and works well.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •