[NTLUG:Discuss] Router Needed?

Burton M. Strauss III Burton_Strauss at comcast.net
Tue Jul 6 16:06:10 CDT 2004 

Well, no, that's not quite right.

1) To make that work, your 'firewall-2' has to proactively prevent guests
from accessing the internal network.  Violates the principal of
permit-nothing.

2) Who provides NAT and DHCP server.  As your diagram stands, with a simple
hub, there's no way to separate out the systems except by MAC address, which
is an admin nightmare.

Also, the key was to completely isolate his 'guests' with their virus laden
POC systems - putting them outside the firewall is the best way to do it.
So if you have the equipment:

                                                    DHCP
                                                      |
 <Internet>-----<firewall>-----<HUB>-----<firewall-2>---internal network
                                  |                      (192.168.1.x)
                             <firewall-3>
                                  |
                                  |----DHCP
                                  |
              			<guest network>
                           (192.168.2.x)

Firewall keeps out the stuff you just don't want to let in (and doesn't leak
stuff out).

Firewall-2 is more restricted - primarily to protect your internal users.

Firewall-3 can be configured to provide/protect on whatever services you
want for your guests, i.e. web, smtp, but not Kazza, etc.


However, the thrust of the original request was to do this in such a way as
to allow poor Ken to protect his LAN from those nasty outsiders with minimum
effort and cost - I figured US$35 for a D-Link or NetGear or Linksys
gateway/router met that bill...  once you get into multiple firewalls, Linux
boxes etc, you're talking some setup, administration and on-going
maintenance costs.


-----Burton




> -----Original Message-----
> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]On
> Behalf Of terry
> Sent: Tuesday, July 06, 2004 3:47 PM
> To: NTLUG Discussion List
> Subject: Re: [NTLUG:Discuss] Router Needed?
>
>
> Burton M. Strauss III wrote:
> > If you can get away with a low-rent solution, consider
> extending one of your
> > world routable addresses with some consumer grade gear - DLink, NetGear,
> > Linksys... any of the wireless/wired access point routers.
> >
> > To your protected systems they'll look like any other outsider.
> > To them it will look just like a 'normal' NATed connection.
> >
>
> <Internet>-----<firewall>-----<HUB>--------internal network
>                                  |           (192.168.1.x)
>                             <firewall-2>
>                                  |
> 			<guest network>
>                           (192.168.2.x)
>
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list