On Tue, 2 Aug 2005, Stephan Weaver wrote:
Hello Everyone.
We are going to be connecting our Stores to our Main Head Office Via Fiber.
We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] because of
security.
Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head
Office.
10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].
The store computers that need to access specific servers, are only on that
network.
For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105]
Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of
192.168.100.105.
Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For
Example and Get on our Head Office Internal Network. Which We don't Want.
So i would like to Setup, Install And Configure a FreeBSD Based Firewall,
that will have 4 Network Cards, and will be placed between Our Head Office
Switch, and out Fibre Switch [Wan].
But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD
Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by Firewalling
by ip addressing?
I would appreciate Advice / Suggestions / Anything That will give me a better
clue on how to secure my network.
Yours Sincerely,
Stephan Weaver
I can tell you as of right now that you're going to have to setup
a NAT with your FreeBSD box acting as the gateway using something like
ipf, ipfilter, etc. However, I have little experience with this, and
depending on what you want in terms of user interaction, different
solutions will pose certain pros and cons.
Also, no one outside of the network can just change their IP
address to 192.168.0.x because the 192.168.x.y IP address blocks are
reserved as Class C addresses which under all correct implementations of
IP physically inaccessible outside the network. Therefore, that isn't so
much of an issue... however, it still doesn't hurt to have a firewall
because you don't want someone tunnelling in and wreaking havok on your
network. That is of course if the information you listed above was in fact
what's currently implemented as opposed to what should be implemented.
Just a few minor thoughts.
-Garrett
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
