Hello all, I'm in charge of reworking my company's firewall structure. We went through a few designs, I think everyone is happy with this one. Figured I'd post it here and see if anyone can find any hotspots.
To keep it basic.... Traffic enters through a Cisco 26xx router, running lightwieght packet filtering. It connects directly to a dualhomed Netfilter gateway firewall. That connects to a Cisco 35xx switch. This is the DMZ. All machines in the DMZ will be dual homed, with point-to-point networks (252 subnets) connecting them to the gateway and choke firewalls. The idea of the 252 thing is to: Make it hard to fake an address on a DMZ machine, make it hard to mess with other machines in the DMZ Back to it, each DMZ machine will connect to the 35xx switch on one interface. We will have three Netfilter choke firewalls, each will have several interfaces. Each DMZ machine connects to a choke through a direct point-to-point connection. There will also be three crossover cables in the DMZ, one to each choke. This is for the rare non-proxyable protocol, logging, etc. The choke firewalls then connect to the local LAN through fiber connections. things you might be thinking- -why so many chokes? some of our most heavily used servers will be in the DMZ. Minimizing single point of failures -why fiber? load balancing and minimizing single points of failures. some servers will be connecting to the chokes with fiber. Also the DMZ machines need to be backed up by a server in the LAN and fiber is needed for this. also see above. -why so many interfaces/networks/etc? trying to minimize the power of an owned machine in the dmz. Originally each DMZ box had two interfaces on point to point networks to the choke and gateway, but this got too expensive. -that's stupid. why don't you have standalone firewalls on each dmz machine? a few of the dmz machines will be Linux based, but most are Microsoft machines. Despite being hard/expensive to firewall, they are not my responsibility (almost a hands-off affair) -you dummy, your one point of failure is the gateway! there will be a hardware duplicate of the gateway machine on standby. I know, that with some clever scripting, there is a way to make it failover automatically. But this is currently beyond me. We also have a spare router. Well there it is, hope i didn't forget anything. Thanks for any feedback! __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
