Date: Wed, 22 Jan 2003 10:24:45 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Martyn Hill <m.hill@stjamessengirls.org.uk> Cc: FreeBSD-questions <freebsd-questions@freebsd.org> Subject: Re: Subnetting or Bridging to secure different dapartments on our School LAN? Message-ID: <3E2EB7BD.9080502@potentialtech.com> References: <000701c2c222$e7439dc0$6f00000a@SJMOBILE11>
next in thread | previous in thread | raw e-mail | index | archive | help
Martyn Hill wrote:
> Dear all
>
> I'd be very grateful for any insights you could share...
>
> Our school network continues to grow. Different departments within the
> school wish to piggy-back their windows machines on to our broadband
> internet connection, via our 100Mbps wired LAN within the building. Before I
> can allow anymore machines on, I need to put a measure of security in
> place - principally between the school Admin and Curriculum 'networks' and
> also between the other 3 departments who share the site with us. I was
> thinking along the lines of subnetting our existing network and applying a
> firewall between each sub-net.
>
> Currently, our setup comprises of two FreeBSD (4.5RELENG) boxes - one acting
> as a gateway/firewall between our private network (10.x.x.x/8) and the ADSL
> router, the other as a fileserver/web proxy/redirector and email server to
> our 40 or so Windows clients. DHCP and DNS is provided by the gateway.
>
> The gateway currently runs with two NICs - one to a switch, the other to the
> ADSL router. All other machines, including the fileserver hang off the
> switch. The ADSL router has another 3 10Mbps ports available for direct
> connection.
>
> The Admin and Curriculum users need to share the fileserver (for now, at
> least.) The other new users simply need the broadband connectivity (with or
> without the web-proxy facility that currently sits on the fileserver.)
>
> Questions:
> Do I consider placing more NICs into the gateway in order to create (along
> with a few switches) the new sub-nets, placing a firewall (ipfw) between
> each interface?
Definately consider it as one possible method. another way is to use two
NICs and the NIC on the internal side will have multiple IP addys. I've done
this with success.
> Is it even possible to run >1 ipfw on the same box?
You don't really run more than 1 IPFW, you just add rules that apply to the
additional interfaces (the rule list can get long and obnoxious, but I guess
that's just life)
> Do I build a couple of cheap boxes (like the P90 I'm using for the current
> gateway) with FreeBSD and set them up for bridging along with ipfw?
That's another approach that would work.
> Do I buy a few hardware routers with firewall facility and build my sub-nets
> that way?
That would work too.
> Do I use ifconfig to alias the one internal NIC in the present gateway to
> create virtual sub-nets?
That would be the method I would suggest, however without more details of
your network it's kind of hard to be sure it's the best method. What you
could do is:
ADSL router
|
FreeBSD BOX
|
switch
/ | \
/ | \
/ | \
hub1 hub2 hub3
/ | \
subnet1 subnet2 subnet3
The switch will keep traffic from subnet1 off subnet2 & subnet3 (and vise
versa) The freeBSD box has 2 nics, one to the ADSL, the other to the switch.
The NIC to the switch has an IP for each subnet and IPFW rules for each IP.
If the IPFW rules are identical for each subnet, you'll be able to consolidate
them a good bit.
> Is a firewall really what I need to restrict particular traffic (like SMB
> browsing) across the sub-nets?
Well, the switch will take care of most of that for you. But a firewall will
give you more control over what does and does not pass.
> Or, am I barking up the wrong tree (spanning, or otherwise...)?
No, sounds like you're asking the right questions and considering the right
options. Which one is really best depends a lot on details that you haven't
yet provided. Like, what traffic _exactly_ do you want to prevent from
crossing subnets? SMB browse announcements won't cross subnets, for example
(they'll get stopped at the switch) but cross-network browsing is still
possible by IP address (or if you use WINS). What this means (from a Windows
perspective) is that Windows machines on subnet1 won't see Windows machines
on subnet2 in their network neighborhood, but they will be able to access
them if the user knows the IP address of the machine he wants to connect
to. So it depends on whether you want to offer _real_ security or just
obscurity. (this is dependent on using the method I diagramed above, other
methods offer different levels of security/obscurity)
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2EB7BD.9080502>