Firewall Wizards mailing list archives

Re: Maximum number of subnets on a firewall

From: Holger Kipp <Holger.Kipp () alogis com>
Date: Sun, 1 Feb 2004 00:21:09 +0100

On Wed, Jan 28, 2004 at 09:31:51PM +0200, Paolo Supino wrote:

  The following story and question aren't product specific so please don't
try to attach it to any available product: I was asked to plan a network for
a group of 3 companies (all located in the same building and want to use the
same infrastracture). From gathering the requirements of each of the
companies I've concluded that all of them together will need 10 subnets
(including the subnet that is connected to the internet). Since the biggest
number of subnets per firewall that I ever installed was 6. Setting up 10
subnets on 1 firewall (to me) seems too much for me so I'm looking for a way
to have the 10 networks on 2 (or 3) different firewalls. If you have any
suggestions on a possible layout I'd be very happy to read it.


16 or more subnets on a firewall should be no problem (eg using quad-nics on
pc-based hardware). proper planing (eg what services should be available on 
every subnet) is needed anyway.

it might even be easier to configure everything on one firewall.

apart from that, a separate firewall per company - or even several 
firewalls, possibly from different vendors - might provide for more 
security and/or flexibility.

eg if one firewall fails, it won't affect the other companies.

for the usual setup with dmz you should use two physically separated
firewalls:  Internet - FW1 - DMZ - FW2 - Intranet

In the easiest case you might want to use something like this:


Internet -- Router --+--- FW1 ----- Intranet 1
                     |     |
                     |     +------- DMZ1
                     |
                     +--- FW2 ----- Intranet 2
                     |     |
                     |     +------- DMZ2
                     |
                     +--- FW3 ----- Intranet 3
                           |
                           +------- DMZ3


Unfortunately you don't write how the actual infrastructure looks
like and what the companies requirements are.


Regards,
Holger Kipp
                      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Maximum number of subnets on a firewall Mikael Olsson (Jan 31)
- <Possible follow-ups>
- Re: Maximum number of subnets on a firewall Holger Kipp (Jan 31)
- RE: Maximum number of subnets on a firewall Bill James (Jan 31)
- Maximum number of subnets on a firewall Paolo Supino (Feb 16)
  - Re: Maximum number of subnets on a firewall Mark Tinberg (Feb 20)
- RE: Maximum number of subnets on a firewall Paolo Supino (Feb 21)