Date: Thu, 23 Jan 2003 19:57:34 -0800 From: "Michael K. Smith" <mksmith@noanet.net> To: "Martyn Hill" <m.hill@stjamessengirls.org.uk> Cc: "FreeBSD-questions" <freebsd-questions@FreeBSD.ORG> Subject: Re: Subnetting or Bridging to secure different dapartments on our School LAN? Message-ID: <F88463D6-2F4F-11D7-89D9-003065CA9420@noanet.net> In-Reply-To: <000701c2c222$e7439dc0$6f00000a@SJMOBILE11>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, January 22, 2003, at 06:31 AM, Martyn Hill wrote: > Dear all > > I'd be very grateful for any insights you could share... > > Our school network continues to grow. Different departments within the > school wish to piggy-back their windows machines on to our broadband > internet connection, via our 100Mbps wired LAN within the building. > Before I > can allow anymore machines on, I need to put a measure of security in > place - principally between the school Admin and Curriculum 'networks' > and > also between the other 3 departments who share the site with us. I was > thinking along the lines of subnetting our existing network and > applying a > firewall between each sub-net. > > Currently, our setup comprises of two FreeBSD (4.5RELENG) boxes - one > acting > as a gateway/firewall between our private network (10.x.x.x/8) and the > ADSL > router, the other as a fileserver/web proxy/redirector and email > server to > our 40 or so Windows clients. DHCP and DNS is provided by the gateway. > > The gateway currently runs with two NICs - one to a switch, the other > to the > ADSL router. All other machines, including the fileserver hang off the > switch. The ADSL router has another 3 10Mbps ports available for > direct > connection. > > The Admin and Curriculum users need to share the fileserver (for now, > at > least.) The other new users simply need the broadband connectivity > (with or > without the web-proxy facility that currently sits on the fileserver.) > > Questions: > Do I consider placing more NICs into the gateway in order to create > (along > with a few switches) the new sub-nets, placing a firewall (ipfw) > between > each interface? > Is it even possible to run >1 ipfw on the same box? > Do I build a couple of cheap boxes (like the P90 I'm using for the > current > gateway) with FreeBSD and set them up for bridging along with ipfw? > Do I buy a few hardware routers with firewall facility and build my > sub-nets > that way? > Do I use ifconfig to alias the one internal NIC in the present gateway > to > create virtual sub-nets? > Is a firewall really what I need to restrict particular traffic (like > SMB > browsing) across the sub-nets? > > Or, am I barking up the wrong tree (spanning, or otherwise...)? > > Thanks in advance. > Martyn Hill > ICT Teacher and IT Coordinator > St James Independent School > London > Hello Martyn: As I understand it, you are attempting to limit traffic between various groups of users behind your firewall. In order to do this, I would recommend a mix of your solutions. 1) VLAN segmentation - use 802.1Q VLAN's to isolate the broadcast domains of your pass-through Internet users and your back-office servers and users. 2) IP Segmentation - this will be necessary if users are on different VLAN's because each VLAN is its own broadcast domain. 3) Firewall rulesets - now that you have separate routed segments, you can apply further filters at Layer 3 between your Internet and Internal users. In order to accomplish this, you will need an 802.1Q capable NIC on your firewall as well as 802.1Q capable switches at any point where both types of users will be on the same ethernet device. Your network would looks something like this: Inet -> ADSL -> FreeBSD BOX (802.1Q NIC) -> Trunk with VLAN's 100 and 200 to -> Switch -> VLAN 100 -> Internal Users and VLAN 200 -> Internet Users Mike ------------------------------------------------------------------------ -- Michael K. Smith NoaNet 206.219.7116 (work) 206.579.8360 (cell) mksmith@noanet.net http://www.noanet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F88463D6-2F4F-11D7-89D9-003065CA9420>