RE: vlans and FW-1

Thu, 22 Apr 1999 19:01:27 -0700 

I'd love to help. I just had this same problem (WINS doing bizarre things on
multi-homed systems) and the only way I could get around it was by disabling
WINS altogether on the multihomed boxes. For me it was a security issue that
the unsafe network even _knew_ about the networks on the other side of the
multihomed servers. 

The firewall sounds like it is doing the Right Thing, it's just that your
clients are getting bad information from WINS. Really, clients should only
be able to access the NIC you want them to see and not be aware of the
other, otherwise it's not really a VLAN. Can you use another way of
resolving hostnames? LMHOSTS? Normal (?!) MS browsing without a WINS server?
DNS?

Maybe you could doctor the WINS database manually, if you _must_ use WINS,
and just remove WINS from the dual homed servers' interfaces.

Gotta fly..

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520

        -----Original Message-----
        From:   Marcel Gerardino [SMTP:[EMAIL PROTECTED]]
        Sent:   Friday, April 23, 1999 6:22 AM
        To:     [EMAIL PROTECTED]
        Subject:        vlans and FW-1



        Hello,

        I have a small problem.  I'm allowing nbname queries through
Firewall-1
        from the outside to the WINS servers on the inside in a network
remote
        access point (modem bank, not internet).  I guess my first question
would
        be whether this imposes any real threat to security.

        Ok, the real problem is that some of the internal NT servers have 2
NICs,
        each connected to a VLAN, so there are two entries for each of these
        servers in the WINS server (the two IP addresses).  Whenever someone
        queries the WINS server it returns either one of these entries.
Since i
        defined these network objects with one of the IP addresses, access
to them
        is being denied whenever you happen to get the other one.  Do i have
to
        define each of these interfaces in the network object's properties?
or
        should i create two objects?  I'm not sure that the firewall checks
both
        defined interfaces prior to granting or denying access.

        Regards,

        Marcel


        -
        [To unsubscribe, send mail to [EMAIL PROTECTED] with
        "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to