Currenty I am evaluating Shorewall as a firewall solution, and have to
admit it works wonderfull so far.
However I still have some general questions, and I hope you can help me
in solving them.
---------------Bastion-firewall (firewall 1)
|
|
---------------DMZ
|
|
===============Choke Firewall (firewall 2)
|
Lan
1. On what firewall shoud I install my Freeswan VPN-server, firewall-1 or
firewall-2?. I intend to install FreeSwan on Firewall-2. In this case
connections from the outside world are to forwarded from firewall-1 to
firewall-2 using (d)nat. Is this OK??
2. Should accepting connections from a (web)server to a database-server
running in the LAN be considered as a security risk??. A solution could be
running the database-server in a MZ (militarized zone). In my opinion in
this case the inner side of firewall-2 should have 2 network cards.
I hope someone can answer these questions.
Ad Koster
lidad@zeelandnet.nl
Ad, ----- Original Message ----- From: "Ad Koster" <lidad@zeelandnet.nl> To: <shorewall-users@shorewall.net> Sent: Wednesday, March 13, 2002 9:57 AM Subject: [Shorewall-users] General firewalling question> Currenty I am evaluating Shorewall as a firewall solution, and have to > admit it works wonderfull so far. > > However I still have some general questions, and I hope you can help me > in solving them. > > ---------------Bastion-firewall (firewall 1) > | > | > ---------------DMZ > | > | > ===============Choke Firewall (firewall 2) > | > Lan > > 1. On what firewall shoud I install my Freeswan VPN-server, firewall-1 or > firewall-2?. I intend to install FreeSwan on Firewall-2. In this case > connections from the outside world are to forwarded from firewall-1 to > firewall-2 using (d)nat. Is this OK??I agree that firewall-2 is the correct place for your VPN server. My own personal experience with NAT and IPSEC however has not been very satisfactory. I would recommend that you use Proxy ARP rather than NAT, provided that you have sufficient Public IP addresses.> > 2. Should accepting connections from a (web)server to a database-server > running in the LAN be considered as a security risk??. A solution could be > running the database-server in a MZ (militarized zone). In my opinion in > this case the inner side of firewall-2 should have 2 network cards.Yes -- I would put a firewall between the database server and your LAN. The solution you suggest would work ok. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 13 Mar 2002, Tom Eastep wrote:> Ad, > > ----- Original Message ----- > From: "Ad Koster" <lidad@zeelandnet.nl> > To: <shorewall-users@shorewall.net> > Sent: Wednesday, March 13, 2002 9:57 AM > Subject: [Shorewall-users] General firewalling question > > > > Currenty I am evaluating Shorewall as a firewall solution, and have to > > admit it works wonderfull so far. > > > > However I still have some general questions, and I hope you can help me > > in solving them. > > > > ---------------Bastion-firewall (firewall 1) > > | > > | > > ---------------DMZ > > | > > | > > ===============Choke Firewall (firewall 2) > > | > > Lan > > > > 1. On what firewall shoud I install my Freeswan VPN-server, firewall-1 or > > firewall-2?. I intend to install FreeSwan on Firewall-2. In this case > > connections from the outside world are to forwarded from firewall-1 to > > firewall-2 using (d)nat. Is this OK?? > > I agree that firewall-2 is the correct place for your VPN server. My own > personal experience with NAT and IPSEC however has not been very > satisfactory. I would recommend that you use Proxy ARP rather than NAT, > provided that you have sufficient Public IP addresses. > > > > > 2. Should accepting connections from a (web)server to a database-server > > running in the LAN be considered as a security risk??. A solution could be > > running the database-server in a MZ (militarized zone). In my opinion in > > this case the inner side of firewall-2 should have 2 network cards. > > Yes -- I would put a firewall between the database server and your LAN. The > solution you suggest would work ok. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >Thanks, Tom for your response. So if I fully understand the matter, in an ideal situation traffic from the internal network to the DMZ is perfectly OK, but initial traffic from servers in the DMZ to the LAN should be blocked. Ad
----- Original Message ----- From: "Ad Koster" <lidad@zeelandnet.nl> To: "Tom Eastep" <teastep@shorewall.net> Cc: <shorewall-users@shorewall.net> Sent: Wednesday, March 13, 2002 12:37 PM Subject: Re: [Shorewall-users] General firewalling question> > Thanks, Tom for your response. > > So if I fully understand the matter, in an ideal situation traffic from > the internal network to the DMZ is perfectly OK, but initial traffic from > servers in the DMZ to the LAN should be blocked.That''s correct -- you don''t want a compromised system in the DMZ to have easy paths into your local LAN. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net