help w/ network design - Networking

This is a discussion on help w/ network design - Networking ; Hi, I'm trying to design a really secure network which has both wireless and ethernet and I was wondering if there is a common standard type of network setup I should use. I was thinking about something like this ... ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: help w/ network design

  1. help w/ network design

    Hi,

    I'm trying to design a really secure network which has both wireless
    and ethernet and I was wondering if there is a common standard type
    of network setup I should use.

    I was thinking about something like this ...

    Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
    --> Computers

    The questions I'm wondering about are ...

    1) Is it common to put 2 firewalls in a network? I did that to put
    things like the access point and maybe some web servers in between,
    kinda like *I think* a DMZ sort of setup

    2) Is this correct to place the Access Point between these two
    firewalls? My thinking here is that since I want all the data on my
    ethernet to be secure, then the access point should not be on the
    inside and users should come through the same front door as anyone else
    (along w/ the normal authentication and authorization on the wifi).

    Thanks


  2. Re: help w/ network design

    On Jul 26, 5:40 am, Ender wrote:
    > Hi,
    >
    > I'm trying to design a really secure network which has both wireless
    > and ethernet and I was wondering if there is a common standard type
    > of network setup I should use.
    >
    > I was thinking about something like this ...
    >
    > Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
    > --> Computers
    >
    > The questions I'm wondering about are ...
    >
    > 1) Is it common to put 2 firewalls in a network? I did that to put
    > things like the access point and maybe some web servers in between,
    > kinda like *I think* a DMZ sort of setup
    >
    > 2) Is this correct to place the Access Point between these two
    > firewalls? My thinking here is that since I want all the data on my
    > ethernet to be secure, then the access point should not be on the
    > inside and users should come through the same front door as anyone else
    > (along w/ the normal authentication and authorization on the wifi).
    >
    > Thanks


    Firewall2 would only protect between the two segments of wireless and
    ethernet, you still have the problem between each ethernet user or
    each wireless user, so basically firewall2 is not much protection at
    all. I would remove firewall2 and just have a switch in its place.
    Between each user (on ethernet or wireless), they should each have
    their own firewall (either in software or hardware). If each user is
    eg. users in a lan in an office, then just configure software firewall
    on each computer. If each user is to be totally untrusted (i.e. they
    are clients and you have no control over what they are doing) then
    each user should have a router (that you have control over) or you can
    use a managed-switch in place of firewall2 that restricts access
    between users, the accesspoint should in this case be of a type that
    can also do this restriction.

    Cheers,
    Tobias


  3. Re: help w/ network design

    On Wed, 25 Jul 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <2007072522402775249-enderwigginandrew@gmailcom>, Ender wrote:

    >I'm trying to design a really secure network


    "The best firewall is two inches of air."

    >which has both wireless and ethernet and I was wondering if there is
    >a common standard type of network setup I should use.


    Not really - it depends on what services you want to offer to who, and
    what risks you are guarding against. For a "home" or small business
    type of setup, see the Home-Network-mini-HOWTO and the
    Networking-Overview-HOWTO from the LDP. For more details, see the Linux
    Network Administrator's Guide (nag2). Depending on your distribution,
    these may be installed in /usr/share/doc or similar.

    >I was thinking about something like this ...
    >
    >Internet --> Firewall/Router(1) --> Access Point --> Firewall/Router(2)
    >--> Computers


    That's one possible layout

    >The questions I'm wondering about are ...
    >
    >1) Is it common to put 2 firewalls in a network?


    There's a firewall at the corporate perimeter - another at the division
    perimeter - still another at the facility perimeter, and a final one
    at the department level. That's four. My wife works at a different
    company, and they have only a perimeter firewall with all of their
    "public" servers (web, mail, DNS, etc. for use/access from the world,
    AS OPPOSED TO web, mail, DNS, etc. servers meant for internal use only)
    hosted by an off-site provider. Pay your money - take your pick.

    >I did that to put things like the access point and maybe some web
    >servers in between, kinda like *I think* a DMZ sort of setup


    I suspect you'll see more DMZs set as a separate stub off the first
    firewall such as

    Internet <--> Firewall <--> internal network
    ^
    |
    v
    DMZ

    The firewall rules are set such that systems _in_ the DMZ can not
    initiate connections to the internal net, and only certain hosts
    inside can connect to the DMZ hosts for other than very limited
    services. There can also be _additional_ firewalls on the internal
    network - that depends on what's in there, and what you see as your
    threat model.

    >2) Is this correct to place the Access Point between these two
    >firewalls?


    That depends on your threat model - what are you trying to protect,
    from who? Only you can answer that question.

    >My thinking here is that since I want all the data on my ethernet to
    >be secure,


    From who?

    >then the access point should not be on the inside


    Are you worried about packet sniffers? Most modern networks are
    switched, and your bad guy would have to be able to subvert the switch
    in order to hear anything except broadcast traffic.

    >and users should come through the same front door as anyone else
    >(along w/ the normal authentication and authorization on the wifi).


    Depends on the threat model. The networks I'm most familiar with
    have remote access for employees on a separate DMZ from the one
    containing public servers.

    Old guy

+ Reply to Thread