Hi,
We need to run a firewall in front of our web servers. They are on multiple subnets, so the solution would seem to be to have the internet connection coming into a perimeter router, then to the firewall, then to an internal router and out to the servers. I'm having a bit of difficulty finding any examples of this configuration, although it must be in use a lot. Could anyone run through the specifics or provide an example configuration? If possible I'd like to avoid running NAT and PAT.
BAD idea. Do you know what happens to the vlan config on most switches when the mac address table overflows? They become "hubs" (all packets go to all ports) until you reboot them. It's trivial for a hacker to write a prgram that floods out packets with different random mac addresses. send those packets through the vlan switch, and in about 10 seconds or so, no more vlans, the whole thing is wide open.
- Why?
- What kind of 'firewall'? Packet filter or proxy?
Ever thought of using VLAN's?
The PIX is not a router.
Wolfgang
GOOD idea if all the attached services are at the same trust level.
Private VLANs combined with a dot1q trunk into the firewall are ideal for running in *lots* of external services.
If they have penetrated a box to the extent of being able download and build tools like Macof , one has for more to worry about than attempts to overflow the cam table.
The methods to secure a switch from such attacks are well documented. Any attempts to flood through that port will result in disconnection.
greg
And, the behavior Weintz describes of a switch with VLANs is identified as a bug by (at least) Cisco, and subsequently should be fixed in recent switching software.
Been on holidays and didnt notice this thread until now, sorry for the late reply.
Exactly, if one requires a very high level of port density, switch + firewall is far preferable to filling racks up with firewalls at 20 fast-e ports per 2U.
I know of one bank here in the UK put in 6 racks of IP-650s to plumb external services.
A complete waste of money.
greg
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.