Date: Tue, 2 Aug 2005 15:30:21 -0500 From: Nikolas Britton <nikolas.britton@gmail.com> To: Kevin Kinsey <kdk@daleco.biz> Cc: Stephan Weaver <stephanweaver@hotmail.com>, freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Message-ID: <ef10de9a05080213304fa42f26@mail.gmail.com> In-Reply-To: <42EFA65A.5080905@daleco.biz> References: <BAY20-F2F61C3D84924A4CD57576A8C20@phx.gbl> <42EFA65A.5080905@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/2/05, Kevin Kinsey <kdk@daleco.biz> wrote: > Stephan Weaver wrote: >=20 > > Hello Everyone. > > > > We are going to be connecting our Stores to our Main Head Office Via > > Fiber. > > We want to separate our Internal Lan from the store computers. > > So we have decided to separate them by networks [ip addressing] > > because of security. > > > > > > Head Office > > I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head > > Office. > > 10.10.10.1 - Pixel Replication Server > > 192.168.1.1 - Web Based Server [Delivery Server] > > 192.168.100.1 - File Server > > Including Internet Users. > > 192.168.0.1-254 [ Lan ]. > > > > > > The store computers that need to access specific servers, are only on > > that network. > > For example. > > Store 1, Computer 1 Needs to Replicate [he will have an ip of > > 10.10.10.105] > > Store 1, Computer 2 [The Delivery Pc]. he will have an ip of > > 192.168.1.105 > > Store 1, Computer 3 Will access the File Server by having an ip of > > 192.168.100.105. > > > > Now the Risk involved with this is we have no Real Security, For Exampl= e. > > A Malicious user can easily change his ip address to 192.168.0.105 For > > Example and Get on our Head Office Internal Network. Which We don't Wan= t. > > > > So i would like to Setup, Install And Configure a FreeBSD Based > > Firewall, that > > will have 4 Network Cards, and will be placed between Our Head Office > > Switch, and out Fibre Switch [Wan]. > > > > But AFAIK, By Placing all these network cards in the Same Machine, > > FreeBSD Will Bridge All Those Networks. > > How Can i keep the networks Separate, and Secure the Servers by > > Firewalling by ip addressing? > > > > I would appreciate Advice / Suggestions / Anything That will give me a > > better clue on how to secure my network. > > > > Yours Sincerely, > > Stephan Weaver > > >=20 > This is probably not Real Helpful(tm), but maybe we can get the > ball rolling here (so I've included your entire post) --- I'm looking > at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller > scale --- basically just keeping 2 LAN's on the same wire seperate > from one another, and limiting access to the big bad Net via a > "captive portal". >=20 > Not sure if it would be any help to you, however.... >=20 I'm a big fan of m0n0wall! The thing can do just about anything and it's so easy to setup and maintain it. This problem should be a simple fix... Treat your connections to the stores as if it where a connection the public Internet! If I wanted to connect my LAN/Servers to the Internet then I would setup a firewall (m0n0wall) that has a deny all policy. After I've done that I would setup some pass rules like, store server with the IP address of xyz can access HQ server that has the IP address of xyz only on port xyz. If you want you could setup a DMZ and put your HQ servers there. All WANs, MANs, 802.11x, Ethernet over AC power lines, etc. should always be treated like the public Internet. m0n0wall can do everything you need... Have you thought about site to site VPNs using the Internet to connect the stores?... what kind of bandwidth do you need?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef10de9a05080213304fa42f26>