Multiple NICs vs multiple physical firewalls
On Sat, 22 Nov 2014 16:46:43 +0100 Martin Hanson wrote: > Hi all > > I have one gateway and several boxes serving some NFS, Samba and other stuff. > Then I have a public server for some gaming. > > I am thinking about two different setups, but I am in serious doubt as to > whether one actually has any real benefit over the other. > > The public server gets its own NIC on the firewall, whereas the other boxes > share another NIC (through a switch) for local stuff. > > My worries is if the public server gets hacked. > > Is it better to physically segment the network using two different boxes as > routers/firewalls, or is it better to simply use one router/firewall with 3 > NICs? > > Setup 1: > > Gateway --> firewall --> NIC1 --> public server > | > --> NIC2 --> LAN > > Setup 2: > > Gateway --> firewall1 --> public server > --> firewall2 --> LAN > > I am wondering about which of the two situations are "most secure". > > Maybe it really depends on how the firewall is setup, but what I want to > avoid is that if the public server gets hacked, that the attacker can gain > access to stuff on the LAN. > > Any comments on these different setups? > > Of course the ideal would properly be to get two separate Internet > connections, but that's really not an option in this case. > > Kind regards. > setup 1 should be fine, you can just block everything to the firewall from the public server. that way, the public server is compromised it cannot connect to anything. block in on $pub_server_if pass out on $pub_server_if this will allow all traffic initiated thru the firewall out (to the $pub_server), and replies back in, but any traffic initiated on that $if (from $pub_server) will be blocked. you can optionally log it as well: block in log on $pub_server_if which would give you a log of all traffic initiated from the public server, if and when it gets compromised. that would be closest to 'most secure'. if you want to allow the public server access to the outside, it gets more complicated. you may need to allow dns requests out for instance: pass in quick on $pub_server_if proto udp from $server_ip to any to port dns study pf faq/man well, and there is also a pf firewalling tutorial at http://home.nuug.no/~peter/pf/ in sum: block in log on $pub_server_if pass in quick on $pub_server_if proto udp from $server_ip to port 53 pass out on $pub_server_if should completely isolate the server except in response to outside requests and inside dns requests.
Multiple NICs vs multiple physical firewalls
Hi all I have one gateway and several boxes serving some NFS, Samba and other stuff. Then I have a public server for some gaming. I am thinking about two different setups, but I am in serious doubt as to whether one actually has any real benefit over the other. The public server gets its own NIC on the firewall, whereas the other boxes share another NIC (through a switch) for local stuff. My worries is if the public server gets hacked. Is it better to physically segment the network using two different boxes as routers/firewalls, or is it better to simply use one router/firewall with 3 NICs? Setup 1: Gateway --> firewall --> NIC1 --> public server | --> NIC2 --> LAN Setup 2: Gateway --> firewall1 --> public server | --> firewall2 --> LAN I am wondering about which of the two situations are "most secure". Maybe it really depends on how the firewall is setup, but what I want to avoid is that if the public server gets hacked, that the attacker can gain access to stuff on the LAN. Any comments on these different setups? Of course the ideal would properly be to get two separate Internet connections, but that's really not an option in this case. Kind regards.
Re: Multiple NICs vs multiple physical firewalls
On Sat, Nov 22, 2014 at 8:46 AM, Martin Hanson wrote: > Hi all > > I have one gateway and several boxes serving some NFS, Samba and other stuff. > Then I have a public server for some gaming. > > I am thinking about two different setups, but I am in serious doubt as to > whether one actually has any real benefit over the other. > > The public server gets its own NIC on the firewall, whereas the other boxes > share another NIC (through a switch) for local stuff. > > My worries is if the public server gets hacked. > > Is it better to physically segment the network using two different boxes as > routers/firewalls, or is it better to simply use one router/firewall with 3 > NICs? > > Setup 1: > > Gateway --> firewall --> NIC1 --> public server > | > --> NIC2 --> LAN > > Setup 2: > > Gateway --> firewall1 --> public server > | > --> firewall2 --> LAN > > I am wondering about which of the two situations are "most secure". > > Maybe it really depends on how the firewall is setup, but what I want to > avoid is that if the public server gets hacked, that the attacker can gain > access to stuff on the LAN. > > Any comments on these different setups? > > Of course the ideal would properly be to get two separate Internet > connections, but that's really not an option in this case. Setup 1 is a very common scenario--and I probably wouldn't do Setup 2 unless the two firewalls needed to be administered by different groups, which does not apply here. So, I would go with Setup 1 and configure rules on the firewall to prevent your public server from talking to your LAN (commonly known as a DMZ scenario), which would prevent an attacker from being able to compromise your LAN hosts if the public server was compromised. You could also replace NIC1 and NIC2 with a single NIC, vlan(4) and a switch that supports VLANs.