1. Home
  2. Networking Firewalls
  3. Multiple LANs: Firewall advice required.

Multiple LANs: Firewall advice required.

Hi there,

I have 3 LANs that are totally separate from each other. It's very important that data must not be routed from one LAN to another. The LANs have different network addresses.

What I need to do is to have a PC that has access to ALL of the LANs simultaneously. What I'm thinking of doing is to introduce a PC that had 3 NICs installed, each of the NICs connected to each of the LANs.

Physical access to the PC with the multiple NICs would be restricted, and the system would not be connected to the internet; it's sole purpose would be to access specific mainframe systems on each of the local area networks by use of terminal emulator software.

Is there any need for the use of a firewall in this situation- the PC wouldn't route data. I realise that a firewall would be preferable in this situation, but I dont really see the need if the data cannot route between networks.

Before anyone shouts at me, I understand that I must adhere to a solution that is satisfactory and that's why I'm asking the question here. Please advise what would be the most secure solution. Advice on a good secure software firewall that would be of use in this situation would be most useful.

Thanks in advance of any contributions, advice or comments. Hoastey

Reply to
rhoaste
Loading thread data ...

Get a firewall appliance in front of the LANs and then VPN into them from anywhere to manage them. If you do the multi-NIC and the system is compromised then all the networks are at risk.

If you do the VPN route, you can limit access to a specific machine or to a user that knows the login/password and it can be from anywhere if you want.

Also, if you use firewalls to cover the LAN's, you could just setup rules that permit the one workstation access to all the LANs.

Reply to
Leythos

OK. Do the individual LANs have access to any other networks INCLUDING the Internet? If so, the routers to those other LANs need to have null routes set for these three, so that packets from LAN A are not sent out to the Internet and there routed to LAN B or C. Of course, if they are meant to be totally separated, they probably shouldn't have ANY access to other networks, especially the Internet.

What O/S? What ever it is, there must not be anything offering network services. This PC would be a 'client' to 'servers running on the three LANs only.

As long as the terminal emulation does not have a file transfer capability (such as {X|Y|Z}Modem, Kermit, etc.) and the terminal emulation is only displaying data rather than generating it, this might work.

No more than normal for the O/S. I would recommend that the LANs use a switched technology (as opposed to hubs, concentrators, or coax), so that the common PC only sees packets destined for it.

Routing between networks also takes the cooperation of the end points. Assume networks A and B, and a single system named X with NICs on both, a system on network A has to know that to reach network B, it has to send packets to host X and let it relay them. Likewise, network B has to know to reach (or even reply) to network A, it has to send the packets to X. If A doesn't know about B, or vice versa, OR if A (or B) doesn't know that X will forward packets, then it doesn't matter if X is going to do anything because the hosts on network A will return a message "Network Unreachable" for any attempt to communicate to B (and vice versa).

A lot depends on what the requirements are. Are they 'legal' (meaning civil or military law, or contractual), company policy, or merely keeping brothers/sisters from seeing what's on the siblings network?

Three dumb terminals without removable media (floppies, CDs), sharing only the table and power outlet. "Nothing beats an air gap in maintaining network security".

Personally, I can't see the need for one ASSUMING nothing gets installed on the LANs that give them clue that other LANs exist, AND there is control of what software gets installed on the common PC.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.