[NTLUG:Discuss] Router Needed?

terry kj5zr at yahoo.com
Tue Jul 6 16:18:48 CDT 2004 

Burton M. Strauss III wrote:
> Well, no, that's not quite right.
> 
> 1) To make that work, your 'firewall-2' has to proactively prevent guests
> from accessing the internal network.  Violates the principal of
> permit-nothing.
> 
> 2) Who provides NAT and DHCP server.  As your diagram stands, with a simple
> hub, there's no way to separate out the systems except by MAC address, which
> is an admin nightmare.
> 
> Also, the key was to completely isolate his 'guests' with their virus laden
> POC systems - putting them outside the firewall is the best way to do it.
> So if you have the equipment:
> 
>                                                     DHCP
>                                                       |
>  <Internet>-----<firewall>-----<HUB>-----<firewall-2>---internal network
>                                   |                      (192.168.1.x)
>                              <firewall-3>
>                                   |
>                                   |----DHCP
>                                   |
>               			<guest network>
>                            (192.168.2.x)
> 
> Firewall keeps out the stuff you just don't want to let in (and doesn't leak
> stuff out).
> 
> Firewall-2 is more restricted - primarily to protect your internal users.
> 
> Firewall-3 can be configured to provide/protect on whatever services you
> want for your guests, i.e. web, smtp, but not Kazza, etc.
> 
> 
> However, the thrust of the original request was to do this in such a way as
> to allow poor Ken to protect his LAN from those nasty outsiders with minimum
> effort and cost - I figured US$35 for a D-Link or NetGear or Linksys
> gateway/router met that bill...  once you get into multiple firewalls, Linux
> boxes etc, you're talking some setup, administration and on-going
> maintenance costs.
> 
> 
> -----Burton
> 
> 
> 
> 
> 
>>-----Original Message-----
>>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org]On
>>Behalf Of terry
>>Sent: Tuesday, July 06, 2004 3:47 PM
>>To: NTLUG Discussion List
>>Subject: Re: [NTLUG:Discuss] Router Needed?
>>
>>
>>Burton M. Strauss III wrote:
>>
>>>If you can get away with a low-rent solution, consider
>>
>>extending one of your
>>
>>>world routable addresses with some consumer grade gear - DLink, NetGear,
>>>Linksys... any of the wireless/wired access point routers.
>>>
>>>To your protected systems they'll look like any other outsider.
>>>To them it will look just like a 'normal' NATed connection.
>>>
>>
>><Internet>-----<firewall>-----<HUB>--------internal network
>>                                 |           (192.168.1.x)
>>                            <firewall-2>
>>                                 |
>>			<guest network>
>>                          (192.168.2.x)
>>
>>
>F

firewall-3 is not necessary if firewall-2 blocks 192.168.2.x from 
192.168.1.x

-- 
but test everything; hold fast what is good,
1 Thessalonians 5:21

More information about the Discuss mailing list