Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Maximum number of subnets on a firewall

RE: Maximum number of subnets on a firewall

From: Bill James <bubbagates_at_comcast.net>
Date: Sat, 31 Jan 2004 22:07:27 -0500

 

-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Paolo
Supino
Sent: Wednesday, January 28, 2004 2:32 PM
To: 'firewall-wizards_at_honor.icsalabs.com'
Subject: [fw-wiz] Maximum number of subnets on a firewall

Hi

  The following story and question aren't product specific so please
don't try to attach it to any available product: I was asked to plan a
network for a group of 3 companies (all located in the same building and
want to use the same infrastracture). From gathering the requirements of
each of the companies I've concluded that all of them together will need
10 subnets (including the subnet that is connected to the internet).
Since the biggest number of subnets per firewall that I ever installed
was 6. Setting up 10 subnets on 1 firewall (to me) seems too much for me
so I'm looking for a way to have the 10 networks on 2 (or 3) different
firewalls. If you have any suggestions on a possible layout I'd be very
happy to read it.

        Paolo
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Paolo,

   I would do 3 separate firewalls, one for each company with 2
interfaces in each or 3 if you need a DMZ. One interface can then become
the internal network and broken down to sub-interfaces (Unix based
Iptables) to allow the multiple subnets you need. The other interface
would then be considered the outside interface. You could also add a
physical interface for each internal subnet if you really want to. If
you have not done so already and if it's possible, you can combine the
subnet for each individual company to help reduce the administrative
overhead (ie...10.1.x.x, 10.2.x.x, and 10.3.x.x could be combined with
the mask of /14 or 255.252.0.0 instead of using the customary /16 or
255.255.0.0 mask)

                     /<--> Firewall C1 <--> C1 Internal Net
Internet <--> Router |<--> Firewall C2 <--> C2 Internal Net
                     \<--> Firewall C2 <--> C2 Internal Net

With 3 different firewalls you do not risk downing all 3 companies at
the same time should one firewall crash for some reason

You can also get 2 PIX with multiple interfaces and run then in failover

Hope this helps

Bill

    

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 01 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos