Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and also help out your fellow geeks. Anyone can read answers already provided to questions, but only registered ITKnowledge Exchange members can ask questions or add to threads.
|ITKnowledge Exchange member "stephang" asked:
My setup is a standard router and firewall, with both a private network and a DMZ hanging off the firewall. The router and the firewall can both block packets and can both do NAT. I assume that offloading one of those devices puts more load on the other.
Where does it make sense to do which function? Are there any practical guidelines or best practices out there? For example, my DMZ contains a public Web server. Do I give it a private non-routable address and then NAT it to a public address at the firewall or at the router? On the other side, do I block all non-routable addresses at the router or at the firewall or both? What are the tradeoffs?
Assuming your router and your firewall both have more than two interfaces and you have enough IP addresses, I would configure the Internet access like this:
On the router I would set up some inbound and outbound access lists to block the traffic (for inbound only allow ICMP Echo, not any IP packets with private addresses as their source).
On the firewall I would set up NAT and block all unnecessary traffic until the layer 7 (have a proxy function).
If you configure it like this, it will be easier to put an IDS between the router and firewall and the traffic analysis will be easier. This also allows you to put a host "on the Internet" behind the router, but in front of the firewall. At a later time you could also add a second firewall (or VPN Concentrator) to terminate your VPN.
Remember, security in layers! The following is the setup I used when I managed ISP/firewalls/Internet security.
The ISP router was set up to block all "private" IP addresses, the ones that shouldn't be out there anyway, but are because the hackers spoof them. There was no NAT on the ISP router, just ACLs. I also blocked ports at the ISP level that shouldn't be coming in from the Internet; I basically allowed HTTP, FTP, POP3, SMTP and so on.
My firewall ran Static NAT to the Web and/or mail server(s) in the DMZ, allowing only the specific ports to the specific machines that needed them and blocking everything else destined for the DMZ. From the DMZ to the internal network was the same thing: I blocked everything coming from the DMZ except the ports specifically needed and coming from the specific machine.
Finally, my firewall ran Dynamic NAT to the internal network. Everything was blocked except what was needed.
This was first published in June 2005