Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Forwarding traffic to an active IDS/Firewall (Vinicius Pavanelli Vianna)
2. Re: Internet accessible screened subnet - use public
orprivate IPs? (David Lang)
--__--__--
Message: 1
Date: Fri, 22 Jul 2005 12:43:38 -0300
From: Vinicius Pavanelli Vianna <ds@hacked.com.br>
To: "Dale W. Carder" <dwcarder@doit.wisc.edu>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Forwarding traffic to an active IDS/Firewall
Hi,
This was exactly what i was looking for, PaulM send me a cisco page
that contains info about PBR on cisco hw, so I will check it, the other
answer whas to put the IDS/Firewall between the switch and the uplink on
the datacenter, but i think this is a better solution since it allows me
to do load balance too in future.
Thanks for all people that helped me.
Dale W. Carder wrote:
>Thus spake Vinicius Pavanelli Vianna (ds@hacked.com.br) on Wed, Jul 13, 2005 at 06:39:35PM -0300:
>
>
>>Anyone knows how I can forward all traffic the came to a Cisco Catalyst
>>swith to an gateway to do some IDS/Firewall/Traffic Shape?
>>
>>
>
>Use a policy route to force the next-hop. I think that's the
>closest thing to what you want. However, given that traditional
>switches are more or less agnostic to layer 3 information, you can't
>do that unless you have a switch with a routing card, or actually
>have a router.
>
>If you're only looking for IDS stuff, most high end switches support
>port mirroring.
>
>So, a layer-2 solution could use vlans and have your IDS/Firewall/Traffic
>Shape thingy route, bridge, or proxy-arp between them.
>
>Or, use a PC or some other device that can make switching decisions
>based on higher level stack information.
>
>Dale
>
>----------------------------------
>Dale W. Carder - Network Engineer
>University of Wisconsin at Madison
>http://net.doit.wisc.edu/~dwcarder
>
>
>
>
>
--__--__--
Message: 2
From: David Lang <david.lang@digitalinsight.com>
To: Dave Piscitello <dave@corecom.com>
Cc: firewall-wizards@honor.icsalabs.com
Date: Fri, 22 Jul 2005 10:54:25 -0700 (PDT)
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public
orprivate IPs?
On Fri, 22 Jul 2005, Dave Piscitello wrote:
> Isn't this a question of whether you want to route or NAT?
>
> A server that is Internet-facing has to have (or be reachable via) a
> public IP. If your ISP changes your block of public IP addresses, you
> have to change:
>
> 1) the mapping between your private IP addresses and the new public
> IP addresses (the static or 1:1 NAT case) or
> 2) the IP addresses of all the servers, the IPs of the trusted and
> external interfaces on the firewall, and the routing table (or
> routing protocol configuration)
>
> (2) seems like a whole lot more work to me.
first off, how frequently does your ISP reallocate your address range?
secondly you are ignoring all the other work that you need to do when this
change takes place. with all that in mind the difference in the amount of
work seems a lot less.
and as I said below, the trade off for simplifying this rare occurance of
changeing your IP range comes with day-to-day costs in running NAT.
David Lang
>
> On 21 Jul 2005 at 18:28, David Lang wrote:
>
>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
>>
>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
>>>
>>>> Is there a preferred method of setting up a Internet facing
>>>> screened subnet and the use of public or private IP addresses?
>>>> Looking at redesinging our DMZ to only include public resources
>>>> (www, smtp, imap, ftp). Presently we use a private IP address
>>>> range for this that is NAT'ed at our firewall. Any reasons to
>>>> change this policy to using public IPs in the DMZ? Thanks,
>>>
>>> If you're NATing to your internal network, then a rework is
>>> necessary- public stuff should be on its own (preferably) physical
>>> subnet.
>>>
>>> IP addressing doesn't matter much, since you'll be letting stuff
>>> through the most likely exploit vectors anyway.
>>
>> The thing I've been eharing for years about why NAT is better is that
>> you may change ISP's and end up with a new set of IP addresses which
>> are easier to change if you NAT.
>>
>> this may be true (I've actually never seen anyone acutally DO this),
>> but you are trading one-time headaches (which I personally believe are
>> no more severe then all the other changes that you need to make when
>> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
>> (performance on your NAT device, troubleshooting, bugs in the NAT
>> implementation, overloading of the NAT tables, etc)
>>
>> I would definantly have things that server the Internet use public
>> addresses, once you get behind that layer and have devices that only
>> talk to internal stuff, then make it all private addresses.
>>
>> David Lang
>>
>>
>>
>>
>>
>> --
>> There are two ways of constructing a software design. One way is to
>> make it so simple that there are obviously no deficiencies. And the
>> other way is to make it so complicated that there are no obvious
>> deficiencies.
>> -- C.A.R. Hoare
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment