IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New DMZ yes, but need better isolation
1st of all, our DMZ is not all public space.
The goal is to have a series of boxes that
are externally accessable in a constrained fashion.
Which then also have specific limited access to our
internal systems.

So this means there could be a web server, an
FTP server, an ssh bouncebox, and specific client
based systems on the DMZ. A client might need a
particular server that only is accessable from
them via their IP address.

But if all these systems are on the same IP segment,
on the same physical LAN, then they can all see
each other, unless we put a high end switch that
has ACL setups. Which we don't want to do, since
it seems our LAN guys run into "issues" as they try
to setup these ACLs.

Which then means it is up to me to lock them down
via the above described method.
New 4 port Copper GIG cards are available.
Linux, FreeBSD, OpenBSD and NetBSD all support about a kajillion network ports.

You could in reality have the firewall restrict ANY kind of traffic, even based on time.

If you were to have a Dual Xeon with 12 PCI slots (triple peered) and 4 port NICS, you could theoretically have 48 GIG ports.

Plus if the motherboard itself has a NIC builtin, that could be the management device/nic etc...

Or, if you were to go with a computer setup with CompactPCI slots, you could theoretically have upwards of 100+ network ports. Not cheap, but very flexible as you could do everything you want.

You could also setup a logging service for the firewall to report to, as each "rule" can be setup to log everything with different labels. You could even get fine grained and make rules for each tcp/udp/icmp/etc port for each IP address. Plus you can make rules that are specific to that NIC only as well as the globals and masquerading/NAT. You could use make it so that only certain kinds of traffic are available outbound, and a different set as inbound only. You really wouldn't even have to have an ssh bounce machine... although I'd keep one anyway.

For instance, you could also do port-translation as well. Adding addresses to a machine need only be done at the Firewall, you could add something like this:
Visible IP and PortDMZ IP and portMachine
10.10.10.6:80192.168.200.2:81One
10.10.101.3:80192.168.200.2:88One
10.10.100.5:80192.168.200.2:8180One
172.16.12.86:21192.168.200.3:8180Two
172.16.101.19:21192.168.200.3:2121Two
192.168.100.34:22192.168.200.3:2222Two
198.110.74.110:53192.168.200.4:1053Three

This would allow you to have multiple services running on the same host, possibly reducing machine count, possibly allowing you to value-add without having to add machines. Certainly this adds to complexity, but in a managable way. You could even force the responses to come from a different address, if you wanted.

Almost to many options to count.

And if that is not enough, you can do traffic shaping on *BSD and Linux as well. External commands for that are (supported??) possible, but I am not sure about that. I'd do the shaping with a seperate tool anyway.

Too many options exist now for me to put it into a short description.

Plus add in the ISCS stuff and amazing things could happen.

For me, the best possible part is the ability to quickly (re)build (the)a new machine and then pile-on the rules, and being able to keep those rules in a CVS/SVN/etc revision system. Should anything happen to it.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
New But the intel only allows 2 per box
So I have to look to others such as [link|http://www.silicom.co.il/ProductsAndEventsinside.asp?id=87|http://www.silicom.c...sinside.asp?id=87]
Which is Broadcom - and I HATE broadcom.
     Home made firewall? - (broomberg) - (12)
         the hard way? - (cforde) - (7)
             Depends - (broomberg) - (6)
                 Use FWBUILDER - (folkert) - (5)
                     Interesting - (broomberg) - (4)
                         They are VERY... Exceptionally well done. - (folkert) - (3)
                             Initial glance looks like it want a library of service types - (broomberg) - (2)
                                 There are all the standard ones. - (folkert) - (1)
                                     Thanks - (broomberg)
         first, if they are in the DMZ they can talk to each other? - (boxley) - (3)
             DMZ yes, but need better isolation - (broomberg) - (2)
                 4 port Copper GIG cards are available. - (folkert) - (1)
                     But the intel only allows 2 per box - (broomberg)

I don't like those orange potatoes like that.
96 ms