Dismiss Notice

Welcome To CK5!

Registering is free and easy! Hope to see you on the forums soon.

Score a FREE t-shirt and membership sticker when you sign up for a Premium Membership and choose the recurring plan.

Any IP routing/security guys in here?

Discussion in 'The Lounge' started by newyorkin, Feb 11, 2004.

  1. newyorkin

    newyorkin 1 ton status

    May 8, 2001
    Likes Received:
    Los Estados Unitos
    I'm in need of a professional opinion, but am not ready to ask the pros I have available to ask (it's complicated).

    I have a 2 IP-net physical lan connected to a wan that provides access to a several thousand site network. The 2 ip segments of the lan are physically on 2 seperate switch sets that are bridged y fiber to make it one lan to the wan (and 1 lan in that there's no real routing between the subnets). One of the ip segments has only machines that are mission critical to our business, essentially a "production" system that delivers the product. The other is for office users.

    I would like to chop the fiber link between the switches, and replace it with a 10bT/100bTx line going from production lan switch->firewall appliance->office switch, essentially segmenting that network from random browsing (or worm replication) by office lan users and wan users. I know I would need to configure a poopload of exceptions and port forwarding for reasons I can't visualize right now, but can anyone tell me why this might be a bad idea?

    Basically, what are potential drawbacks to dropping a firewall between these two network segments?

    I wanna get some ideas excercised before I start acting like I know what I'm talking about to peeps at work...
  2. tecton

    tecton 1/2 ton status

    Dec 1, 2002
    Likes Received:
    im not a professional, as in ive never been paid
    but ive taken 2 years worth of networking and in my opinion if i understand you correctly... /forums/images/graemlins/confused.gif

    you have the two sub networks able to ineract with each other freely, and you want to put a firewall inbetween them to keep anything bad on the user network, from getting to the buisness end?

    if that is the case, i dont know why you wouldnt want to put a firewall up. Seems like a prudent course of action.
  3. arq

    arq 1/2 ton status

    Jan 17, 2001
    Likes Received:
    Imperial Valley/Maricopa
    firewalls are really not that complicated unless you make them. the biggest obsticle will be the people above you who want access to "everthing" at every second of the day. they'll yell and squeal cause you're taking away their "fredom" to wander the network and spread viruses freely making your work life endless. for us it's been like that. they want us to protect the network but are not willing to give up anything. i just don't understand /forums/images/graemlins/dunno.gif

    I am not sure if your lans to interact using any ports. I would bring up ports that are required. you really only need 80 to surf, 25/110 for pop email, 445/995 for ssl, ~137-139 for netbui. there's tons of rules you can set depending on the brand of firewall. use some kind of sniffer to see what ports are getting most of the traffic and why then go through the port document and block of the ones you don't need between the networks.

    cisco has some good documentation on implementing firewall schemes. but you(or your boss) will have the final say.

  4. Goober

    Goober 1/2 ton status

    Apr 26, 2002
    Likes Received:
    Mayberry (Auburn, WA)
    It sounds like you have a DMZ (production) and an Intranet (LAN users).

    Segementing your internal users should have been a priority from day 1 and it seems like you agree.

    Separating subnets has NO EFFECT on worm replication and such. If it's on the same IP fabric then you are exposed.

    Aside from that, the most serious attacks statistically come from internal "trusted" users so firewalling them off is always a good idea.

    Now you just need the $$$$$ /forums/images/graemlins/whistling.gif /forums/images/graemlins/whistling.gif /forums/images/graemlins/whistling.gif /forums/images/graemlins/whistling.gif
  5. Sandman

    Sandman 3/4 ton status Author

    Apr 15, 2002
    Likes Received:
    Pocatello, ID
    What kind of boxes do you have on the production side? Here we assign subnets for the different parts of production and other subnets for different physical areas of the plant for all other systems. We even go so far as to break Windows and Sun boxes to different subnets. Our production sides could have anything from Windows, to Unix, Linux, etc to even a Vax cluster that we have. We have smart routers for two or so subnets with a fiber backbone to a central router.

    To keep security up, we have specific share drives for different departements and control who has access to what through Domain permissions. If its a supervisors box that has shared the "C" drive to the network, we shut them down. Everybody has a network drive with a folder that is shared to the public for file sharing. Now and then we do audits to see what idiot has opened the computer and we close it down.

    In your case, the problems that I would see are reports that are run using data that is gathered on production computers. We have an IS subnet here and our servers run the reports. We allow the IS subnet to access what it needs.

    Maybe you could find out who runs what reports, Move that task to a dedicated box, put it on a new subnet, and allow the router access to anything coming from that subnet.

    That would allow you to set a real easy rule in the router and centralize the reports with a data backup setup.

    I'm sure that you will have exceptions like we do, We just hard IP the box in question and allow the IP access through the router. Most of our boxes went dynamic this last year as wireless laptops became popular.
  6. Pookster

    Pookster 1/2 ton status

    Nov 21, 2000
    Likes Received:
    NYC, NY, USA
    If I understand this scinaro correctly, while they are on seperate nets, are they on seperate routers and gateways? . It doesnt matter if its briged by fiber or not, if there is a link, and no other firewall/ BGP stuff, then the traffic can pass freely between the two.

    You can secure your production network from your Mission critical stuff (MC's) without necesarily putting up another firewall- You can use your exisitng firewall, in a number of ways-

    Easiest way, is another physical port on your FW. depending on which FW you use, you can seperate the networks as such, only your internally natted PN's can reach the MC's on certain ports, etc. (this is of course, only as secure as the PN machines are-

    It also depends on what level of access you need to give to each user- we've done implmentations of using VPN to get to the otherside. We acutally do not allow wireless network users access to the network- we make them authenticate via VPN and then tunnel all the data through that- its much safer than just WEP. In additional to that, it made business visitors have easy access- no WEP codes to give out, just give them a temporary login that expires.

    Anyways, back to your network- method 2, would be VPN over to the other side of the network- this of coruse, your users may object to this extra level of security

    Method 3: You could esentially lock out most of the MC network by giving them their own protocol- we've done this on several occassions by keeping the SQL server running IPX and connecting that to the application server-. It makes hacking siginficantly more difficult, only to the level of, any machine within the system that has a IP/IPX bridge can become a point of attack.

    the only thing you can do, is block off all unnecesary inbound/outbound ports- . You should have no need for any inbound ports to any production machines. have your firewall direct all inbound traffic (on specified ports) to fixed locations. Be consistant, no desktop can receive inbound data, other than on say, 80, or whatever else someone needs to use.

Share This Page