DarkFoon wrote:
Hmm. You have talked a little over my head... (I do not know what dot1q
trunking is, and I have a vague memory of what layer 2 is... *eep*)
Anyways
an individual broadcast domain per segment. Maybe
that is what he wants and/or I'm overlooking something.
I don't think my client would know what that means. (I only have a vague
understanding)
Networking isn't my strongest point. So, I'm learning a whole lot right now.
That process never stops in this business.
From what I've looked at, it would seem that a pfSense box best suits my
client. I haven't looked at prices for the commercial solutions, but it
would appear that even some of the lower-end ones lack some features I need,
and are rather pricey.
If firewalls with VLAN-capabilities could be had at WalMart, Netscreen
wouldn't charge the equivalent of a small house for their top-end gear.
You will also find it next to impossible to find an online-pricelist
for, say, Checkpoint's Firewall One.
(It's also doubtful you would be able to grasp its complexity, I'm told...)
But I'd like to understand one thing first, on the firewall page under
pfSense, can I assign different rules for each interface?
Yep.
Even the most humble
"Joey-designed-a-linux-firewall-gui"-freshmeat-of-the-week project can
do this ;-)
You should checkout freshmeat - there must be hundrets of mostly
one-shot attempts at creating a GUI for the Linux-firewalling-commands
(which change every release) and none of them can match or even come
close to pfSense.
See, allow to explain why my client wants the separate ports. His office
network will soon have a domain server with the roaming profiles
bells-and-whistles and he wants that to not affect any other computers on
the network(I don't think it will). But more importantly, he wants his
business network separate from his kids' network (that's my nickname for it)
in case one of them contracts the Windows XP "Worm of the Week" and it
starts spewing infected packets all over the network (like Sasser, if I
understood that one correctly) and infects/crashes his business portion. At
least the last part makes sense to me. (I personally use windows ME, so I
avoid all those things by obscurity.)
Good idea - pfSense can do that easily.
But you need a switch that can do VLANs, too.
(Nowadays, even the cheap Netgears can do it, you don't have to buy an
expensive "core"-switch for that anymore.
But firewalls don't protect from stupid users. Or only to degree.
If a worm is well spread within a network, it can quickly overwhelm the
firewall by creating hundrets of thousands of connections to the internet.
SQL-Slammer even brought down switches and whole ISPs.
Also, if the worm spreads via email (which you are probably going to
let through), the firewall is not going to help much.
The problems don't arise from the things you block, but from what you
let through.
And one final curious tangent, does pfSense support tar pits? That idea has
intrigued me since I first heard about it. Last time I checked, though, the
maintainers said that somebody was free to write a plugin for it. I have no
programming knowledge (yet).
You can limit connections per second.
But IMO, this function is best left to a real mailserver.
For clarification I'll explain basically what my client's network network
topography will look like (or what he wants it to look like)
___OFFICE
NETWORK
|
WAN -->(modem)--->(firewall/router)=|___(Forum Webserver/VPN login server)*
|
|___KIDS
NETWORK
* perhaps I should seperate these two things onto their own machines and own
seperate interfaces.
See, I'd really advise you to read some books on the subject of
firewall-design
Like the one from O'Reilly:
http://www.oreilly.com/catalog/fire2
(over books from http://security.oreilly.com/ are also useful)
The wikipedia-page on this subject:
http://en.wikipedia.org/wiki/Firewall_%28networking%29
is really only a glimpse at the situation.
Each fork I've shown (I bet that diagram doesn't even show up properly on
anyone's email client but mine) should be "seperate" from the others to
prevent a virus/worm spreading from one to another (or a hacker? as my
client fears). It sounds like I'd have to seperate them by using vlans.
Yes. But then, the transfer-speed between the segments is limited by the
firewall-backplane-speed.
If you've got a WRAP, it's 20 Mbit.
If it's a full-blown PC, it's between 100Mbits and GBit.
The
only way I could think of doing it physically is by using a firewall for
each fork, and having one plain router splitting the connection amongst
them(this sounds cumbersome, stupid, and spendy)
Yup.
Or a firewall with many interfaces.
Or VLANs.
Again, there is a lot of consideration involved in all these "details"
Usually, unless the webserver needs data from an internal source, I'd
move it to a colo or use shared-hosting @ some ISP - it's usually not
worth the effort to host it yourself....
LAN is only LAN, services that need access from both inside and outside
are better moved to the DMZ (or use some sort of proxy-solution in the
DMZ...
One last thing, do the barebones appliances have gigabit ethernet? Or is
that feature usually rare?
That depends entirely on the amount of money you are prepared to spend.
cheers,
Rainer
