[NTLUG:Discuss] Router Needed?

terry kj5zr at yahoo.com
Tue Jul 6 21:34:38 CDT 2004


terry wrote:
> Burton M. Strauss III wrote:
> 
>> Well, no, that's not quite right.
>>
>> 1) To make that work, your 'firewall-2' has to proactively prevent guests
>> from accessing the internal network.  Violates the principal of
>> permit-nothing.
>>
>> 2) Who provides NAT and DHCP server.  As your diagram stands, with a 
>> simple
>> hub, there's no way to separate out the systems except by MAC address, 
>> which
>> is an admin nightmare.
>>
>> Also, the key was to completely isolate his 'guests' with their virus 
>> laden
>> POC systems - putting them outside the firewall is the best way to do it.
>> So if you have the equipment:
>>
>>                                                     DHCP
>>                                                       |
>>  <Internet>-----<firewall>-----<HUB>-----<firewall-2>---internal network
>>                                   |                      (192.168.1.x)
>>                              <firewall-3>
>>                                   |
>>                                   |----DHCP
>>                                   |
>>                           <guest network>
>>                            (192.168.2.x)
>>

I was looking at wrong diagram when I made comment below, but I think 
you know what I meant. it's firewall-2 that's not necessary because 
gateway of firewall-3 (in this case) is firewall-1.  It wouldn't hurt to 
have the third firewall tho, just not all that necessary.

> 
> firewall-3 is not necessary if firewall-2 blocks 192.168.2.x from 
> 192.168.1.x
> 


-- 
but test everything; hold fast what is good,
1 Thessalonians 5:21




More information about the Discuss mailing list