Setting up DMZs/Screened Subnets with Commodity Firewalls

tshad · 11-03-2006, 04:45 PM

We have a couple of DMZs set up with Firewalls such as Checkpoint and NetGear (fvs114) to separate the subnets.

The NetGear is causing me problems and I am looking at other firewalls (such as SonicWall Soho 3 which I happen to have). This subnets do not go directly to the internet. They are just separating my data servers from my DMZ that that has my webservers on one side and our Protected intranet on the other.

The problem is that these are Firewall/Dsl Routers that are intended to route information from your local network to the Internet that also have firewall functions. After reading the document on the Netgear - it talks about Internet Sharing Firewalls where requests from the outside are discarded. Only packets that come from the outside as a response are accepted. On the Netgear, this is also the case unless you have a rule set up to accept requests by service (such as port 80 - http).

I don't know if this normal or not but one of the things required is a Gateway. I would assume that a normal non-internet sharing firewall wouldn't have a Gateway as you are only routing packets from one subnet to another (no Nat).

I am not sure if the SonicWall does this or not. If not, I will need to look elsewhere.

The Wan side has a gateway that is usually the DSL Router.

You can usually set up the Firewall as Standard or Nat. With standard the Lan and Wan have to be the same sub net. With Nat the Wan is the ISPs Router address (public) and the Lan is your private network.

In my case, I want to use Firewall inside the private network where both the Lan and Wan would have private addresses but each would be a public address.

So on my Protected network I would have all my user machines on the 10.0.0.X network and my DMZ that has my Sql Servers would be on the 10.0.3.X network.

I don't know if it matters which side has Lan or Wan interface. But what about the Gateway address. I have it set up at the moment as:

Wan:
IP Address:10.0.0.251
Mask: 255.255.255.0
Gateway: ?

Lan:
IP Address: 10.0.3.251
Mask: 255.255.255.0

Sql Server IP Address: 10.0.3.2
My workstation: 10.0.0.25

I am assuming that Nat needs to be set for this to work. But in the Internet world you would not be able to accesses an address in the private network directly. Only in response to a request. So there would need to be a request from the Private address first to the Internet and the Internet would respond. But not the other way round.

Since I am Natting here, wouldn't I have the same problem? Is there a way to make this work with these types of Firewalls?

We have a Checkpoint Firewall that does this great. But that is too expensive for us here in this scenario.
_________________
Thanks,

Tom

11-03-2006, 04:45 PM	#1 (permalink)
tshad Registered User Join Date: Nov 2006 Posts: 1 OS: XP	Setting up DMZs/Screened Subnets with Commodity Firewalls We have a couple of DMZs set up with Firewalls such as Checkpoint and NetGear (fvs114) to separate the subnets. The NetGear is causing me problems and I am looking at other firewalls (such as SonicWall Soho 3 which I happen to have). This subnets do not go directly to the internet. They are just separating my data servers from my DMZ that that has my webservers on one side and our Protected intranet on the other. The problem is that these are Firewall/Dsl Routers that are intended to route information from your local network to the Internet that also have firewall functions. After reading the document on the Netgear - it talks about Internet Sharing Firewalls where requests from the outside are discarded. Only packets that come from the outside as a response are accepted. On the Netgear, this is also the case unless you have a rule set up to accept requests by service (such as port 80 - http). I don't know if this normal or not but one of the things required is a Gateway. I would assume that a normal non-internet sharing firewall wouldn't have a Gateway as you are only routing packets from one subnet to another (no Nat). I am not sure if the SonicWall does this or not. If not, I will need to look elsewhere. The Wan side has a gateway that is usually the DSL Router. You can usually set up the Firewall as Standard or Nat. With standard the Lan and Wan have to be the same sub net. With Nat the Wan is the ISPs Router address (public) and the Lan is your private network. In my case, I want to use Firewall inside the private network where both the Lan and Wan would have private addresses but each would be a public address. So on my Protected network I would have all my user machines on the 10.0.0.X network and my DMZ that has my Sql Servers would be on the 10.0.3.X network. I don't know if it matters which side has Lan or Wan interface. But what about the Gateway address. I have it set up at the moment as: Wan: IP Address:10.0.0.251 Mask: 255.255.255.0 Gateway: ? Lan: IP Address: 10.0.3.251 Mask: 255.255.255.0 Sql Server IP Address: 10.0.3.2 My workstation: 10.0.0.25 I am assuming that Nat needs to be set for this to work. But in the Internet world you would not be able to accesses an address in the private network directly. Only in response to a request. So there would need to be a request from the Private address first to the Internet and the Internet would respond. But not the other way round. Since I am Natting here, wouldn't I have the same problem? Is there a way to make this work with these types of Firewalls? We have a Checkpoint Firewall that does this great. But that is too expensive for us here in this scenario. _________________ Thanks, Tom