On 06/07/03 18:12 +0530, Vinu Moses wrote: > We plan to implement a firewall / gateway for our server room such that > all servers are on a separate network and behind a firewall / gateway. > External access to the servers will be only through the firewall / > gateway. I assume that this is a standard three legged firewall with Internal, DMZ and External interfaces. Communication will always be initiated from the more secure networks to the less secure ones. > Some details about the network: > * 10 - 15 servers on a variety of OS's networking with TCP/IP > (also have some Netware boxes on IPX, but these will not be put behind > the firewall) Why not? If they aren't protected, nullroute them so that they cannot be accessed from the external world.
> * a switched 100 Mbp/s network
> * 250-300 clients
>
> Network traffic and bandwidth utilisation have not yet been calculated /
> analyzed.... this is in progress, but preliminary estimates put it to
> be well within 30-40 Mbp/s during peak utilisation.
You will need some data on this before a firewall can be recommended.
However, if 30-40 Mbps is well within the reach of any good hardware
available today.
I will assume that you have done a risk evaluation, and know what your
assets are and what the cost of losing any of those assets is.
I will also assume that you have a policy in place to define your
firewall policies.
> The present plan is to go with one of the Cisco PIX� family of
> firewalls, but I'm trying to evaluate the feasibility of just using a
> linux box instead.
Please do not restrain yourself to using a Linux box. OpenBSD is well
known for its security oriented stance. However, the final choice will
be on how well you know your system and the administrator.
> The questions:
> 1. Would implementing the firewall / gateway on a linux box be feasible?
Yes.
> 2. What sort of specs. would be required for this linux box?
> - -- RAM and bandwidth being the two most important criteria, I'm thinking
> of a Xeon 2 Ghz box with 1 Gb RAM and two 1 Gbp/s Intel
> EtherExpressPro NIC's.
You don not need a Gigabit Interface at this point. Even lower end
hardware should be sufficient for handling this much traffic.
> 3. Should I have two firewall / gateway linux boxes (to avoid a single
> point of failure) - this is a large hospital and anything less than
> 24x7 is not an option.
If 24 x 7 is needed, then you need redundancy, whatever you choose to
implement.
> 4. How well would a linux firewall / gateway stand up to one of the
> Cisco PIX� family of firewalls? Anyone have any comparisons?
Currently, no. However, you could ask on
[EMAIL PROTECTED] and/or [EMAIL PROTECTED]
These lists have some fairly clued and experienced people who have been
dealing with these issues.
> 5. Does anyone have a better idea on how this whole thing can be done?
Basic question: Why do you need to put hospital data on the Internet?
I would not put it on the internet, but setup a physically separate
network for that.
[The X is a pair of links for example, S1 to F1 and F2]
Internet
| | <=== redundant links
Edge Router(s) With ACLs [You may want two
routers as well, see if
you have a budget for that]
X X <==== redundant switches
s1 s2
X X
Internal network <---- F1 F2 <=== redundant packet filters.
w/ proxy and IDS X X possible VPN termination.
S3 S4 <=== redundant switches.
Span ports into IDS and
logserver.
Application Layer Gateways (Proxies)
Protocol cleanups, application level
authentication, re-encryption (if
needed).
Servers
Application level authentication
HIDS.
Encrypted data (possibly).
Lots of logging.
Hopefully, that bad ASCII art diagram gives you some ideas abotu
setting this up, subject to budget. Remember to err on the side of
caution, and not the side of ease of use.
If you want to make things slightly more complex (or easier,
depending on your viewpoint), you could setup bridges instead of
firewalls.
Again, if you have the budget, technical expertise and time you can
setup two different firewalls on different operating systems, so that a
hole in one does not give a hole in the other.
HTH,
Devdas Bhagat
pgp00000.pgp
Description: PGP signature
