[H-GEN] Firewalling

Hilton Travis QuarkComputers at email.com
Fri Jun 16 22:57:42 EDT 2000


[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

Hi All,

I have a LAN I need to provide some form of security on due to structural
changes that are currently being undertaken.  I want to install a Linux
firewall and have a secured LAN and a DMZ running from this.  Please chime
in with opinions and suggestions as appropriate.

The existing LAN is Windows NT Workstation based and is currently live on
the Internet (real IPs and all) via an ethernet connection.  There is no
*real* need for security on this LAN, except the fact that I don't like the
idea of these machines being open for attack by all and sundry.  There is a
fileserver (Windows NT Server) on this LAN that currently contains no
sensitive information.

I would like to move this existing LAN to a DMZ and use NAT/IPMasq for
Internet connectivity.  The only issue I can see with this is that
applications such as MS NetMeeting will no longer work, but if H.323 apps
failing is the only problem then I can happily live with that.  I also want
to move the existing FileServer to a secured LAN and have a couple of new
workstations located on this LAN.  The existing FileServer can then be used
to store sensitive data.  The machines in the DMZ need to map shares on the
NT Server.  I do not want to have to add another NT Server, for a number of
reasons.


The current configuration is as below:

I \     Existing
N  \       LAN
T  |     (live)
E  \________|____
R  /             |
N  |         Existing
E  /        FileServer
T /           (live)



What I am considering is the following:

I \          __________          / Existing
N  \        |          |--------<     LAN
T  |        |          |  DMZ    \ (private)
E  \________| Linux    |
R  /        | Firewall |
N  |        |          | Secure  /  Existing
E  /        |          |--------<  FileServer
T /          ----------      |   \ (private)
                             |
                         New LAN
                        (private)


For machines in the DMZ to be able to access shared on the FileServer in the
secured LAN, I realise I will have to have ports 137-139 open on the secured
LAN (is that an oxymoron??) and accepting connections ONLY from the DMZ.  I
also realize that IP Spoofing protection will need to be in place on all
interfaces.

Now, the only issue I have is that a remote-admin program is used so these
system can be administered remotely (obviously!!) - *NOT* PCAnywhere or VNC.
I will probably need to configure port-forwarding on the Firewall so that
this can still take place.  Will there be any issues here?

If I have overlooked anything, or made some stupid assumptions, could
someone please point this out :-)

Regards,
Hilton Travis


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list