Usually, since I don't know how much "displeasure" Bill endured while
trying to "protect" the network he was supporting, but here are some more
helpful hints that will help the poster...
http://www.esj.com/library/1998/june/0698028.htm
When you define your network topology, one should define it from the
outside to the inside. In other words, you define from the point of the
access router belonging to your Internet service provider (ISP)
down into the organization's network. In the Network Topology tree, the
Internet node represents your ISP's default gateway, and using the
Interfaces panel on this node you can define the IP address of your ISP's
default gateway and the
network to which that IP address belongs. Once this network is defined, you
can define your gateway device, whether it is a router or a firewall, that
is attached to the network that you share with your ISP. Your internal
networks, defined when you specify the interface settings for the gateway,
are connected to the gateway device. You can define other gateways, hosts,
or IP ranges below a network.
I could suggest the use of a personal firewall or IDS product, but that
would be showing a vendor slant, so therefore this article should benefit
the readers: http://www.security-informer.com/english/crd_seci_250782.html
/mark
Sounds like the person who designed the security architecture from the
beginning was still looking for the "CLUE" that would provide with a design
that scales with the business model and not fail to scale as indicated below.
I guess I don't know enough about firewalls and security architectures to
know what was posted below is that the design listed below was somewhat
faulty to begin with.. :)
/m
At 12:43 PM 11/29/00 -0500, [EMAIL PROTECTED] wrote:
>I've had the displeasure of trying to "protect" departments from each
>other so I'll throw my two cent at this one.
>
>The real solution is to implement access controls to the data instead of
>trying to segment the individual LANs. It has been my experience that
>firewalling between departments that do business with each other soon
>becomes an administrative nightmare. Every Tom, Dick and Harriet manager,
>auditor, accountant, attorney, admin assistant, and-on-and-on, etc., etc.,
>etc. . . has some reason why they needed "special" access through the
>firewall. To give you an idea of how bad this got, at one point the there
>were over 1,800 the IP filtering rules on 21 different routers.
>
>For all practical purposes these rules were there so personnel in the
>departments didn't have to do anything to protect their resources. This
>got changed. First we educated the owners of the data on their
>responsibility to classify their data and determine who should have access
>to it. Then we set up groups to implement those controls. Then we gave
>the owners of the data the ability to add or remove people from those
>groups as they saw fit. Finally, we remove the majority of the filter
>rules from the routers.
>
>-- Bill Stackpole, CISSP
>
>
>
>
>David Van Damme <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>11/29/00 06:59 AM
>
> To: "'Hubert Felber'" <[EMAIL PROTECTED]>
> cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: Firewall for LAN
>
>
>
>Why would a firewall between lans be a lot different then a `regular`
>firewall ?
>Any firewall where you can disable the NAT would do right ?
>
>David
>
>
>-----Original Message-----
>From: Hubert Felber [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, November 29, 2000 3:35 PM
>To: [EMAIL PROTECTED]
>Subject: Firewall for LAN
>
>
>Hi,
>
>I am looking for firewall solutions to work on the LAN. We want to protect
>the inhouse departments from each others. Once there was a product called
>Eagle LAN from Raptor. I don't know if this still exists, but this is
>exactely the kind of firewall solution I am looking for.
>
>Does anybody know, or can anybody recommand a product?
>
>Thank you
>Hubert
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
