Re: help w/ network design
On Jul 26, 5:40 am, Ender <ender.wiggin.and...@gmail.com> wrote:[color=blue]
> I'm trying to design a really secure network which has both wireless
> and ethernet and I was wondering if there is a common standard type
> of network setup I should use.
> I was thinking about something like this ...
> Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
> --> Computers
> The questions I'm wondering about are ...
> 1) Is it common to put 2 firewalls in a network? I did that to put
> things like the access point and maybe some web servers in between,
> kinda like *I think* a DMZ sort of setup
> 2) Is this correct to place the Access Point between these two
> firewalls? My thinking here is that since I want all the data on my
> ethernet to be secure, then the access point should not be on the
> inside and users should come through the same front door as anyone else
> (along w/ the normal authentication and authorization on the wifi).
Firewall2 would only protect between the two segments of wireless and
ethernet, you still have the problem between each ethernet user or
each wireless user, so basically firewall2 is not much protection at
all. I would remove firewall2 and just have a switch in its place.
Between each user (on ethernet or wireless), they should each have
their own firewall (either in software or hardware). If each user is
eg. users in a lan in an office, then just configure software firewall
on each computer. If each user is to be totally untrusted (i.e. they
are clients and you have no control over what they are doing) then
each user should have a router (that you have control over) or you can
use a managed-switch in place of firewall2 that restricts access
between users, the accesspoint should in this case be of a type that
can also do this restriction.
Re: help w/ network design
On Wed, 25 Jul 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <2007072522402775249-enderwigginandrew@gmailcom>, Ender wrote:
>I'm trying to design a really secure network[/color]
"The best firewall is two inches of air."
>which has both wireless and ethernet and I was wondering if there is
>a common standard type of network setup I should use.[/color]
Not really - it depends on what services you want to offer to who, and
what risks you are guarding against. For a "home" or small business
type of setup, see the Home-Network-mini-HOWTO and the
Networking-Overview-HOWTO from the LDP. For more details, see the Linux
Network Administrator's Guide (nag2). Depending on your distribution,
these may be installed in /usr/share/doc or similar.
>I was thinking about something like this ...
>Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
That's one possible layout
>The questions I'm wondering about are ...
>1) Is it common to put 2 firewalls in a network?[/color]
There's a firewall at the corporate perimeter - another at the division
perimeter - still another at the facility perimeter, and a final one
at the department level. That's four. My wife works at a different
company, and they have only a perimeter firewall with all of their
"public" servers (web, mail, DNS, etc. for use/access from the world,
AS OPPOSED TO web, mail, DNS, etc. servers meant for internal use only)
hosted by an off-site provider. Pay your money - take your pick.
>I did that to put things like the access point and maybe some web
>servers in between, kinda like *I think* a DMZ sort of setup[/color]
I suspect you'll see more DMZs set as a separate stub off the first
firewall such as
Internet <--> Firewall <--> internal network
The firewall rules are set such that systems _in_ the DMZ can not
initiate connections to the internal net, and only certain hosts
inside can connect to the DMZ hosts for other than very limited
services. There can also be _additional_ firewalls on the internal
network - that depends on what's in there, and what you see as your
>2) Is this correct to place the Access Point between these two
That depends on your threat model - what are you trying to protect,
from who? Only you can answer that question.
>My thinking here is that since I want all the data on my ethernet to
>then the access point should not be on the inside[/color]
Are you worried about packet sniffers? Most modern networks are
switched, and your bad guy would have to be able to subvert the switch
in order to hear anything except broadcast traffic.
>and users should come through the same front door as anyone else
>(along w/ the normal authentication and authorization on the wifi).[/color]
Depends on the threat model. The networks I'm most familiar with
have remote access for employees on a separate DMZ from the one
containing public servers.