[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] My reason to turn off IP Spoofing
Ok,
Right on, here is my reason:
My
Firewall: 4.1, SP3,
Platform: NT 4.0 Sp6a, PIII 650Mhz, 1 Gb Ram, Scsi Hard
drive, Mirrorred boot disks, Raid 5 data disks.
My
Internal Network: DMZ, LocalNet, Real Time Data LAN.
IP
Scheme: DMZ: 192.168.10.x 255.255.255.0
Localnet:
10.0.0.x 255.255.254.0
Data LAN: 172.32.0.x 255.255.255.0
172.33.0.x
255.255.255.0
172.34.0.x 255.255.255.0
172.35.0.x 255.255.255.0
172.36.0.x 255.255.255.0
You
would know quite well about DMZ and Localnet, there is nothing special for them.
The special thing is that Real Time Data LAN.
This LAN is
dedicated for providing real time stock data , it input data through T1, T3 from
the Exchange of the State, and output to clients also through other T1, Frame
Relay. So this data LAN is secured, 'cause It inputs and outputs data through
dedicated locations where no internet traffic has been involved! I connect this
LAN to Firewall with 172.36.0.x, 'cause we need clock from the Internet and
other limited tasks. The problem happened when our software developer wanted to
connect to this LAN through 172.136.0.x. The pre-condition is that they don't
want to access this DATA LAN through Firewall, they want to have TCP connection
directly to 172.36.0.x from their system(there are some software requirements,
ex. they must keep their source IP as the same segment as Data LAN 172.36.0.x).
They are behind firewall now with IP of 10.0.0.x, in order to let them connect
to this data LAN directly I have to put 172.36.0.x into the same NIC with the IP
of 10.0.0.x in their system. So when they want to get internet they plug in
internet cable, when they want to connect to Data LAN they will plug in data LAN
cable. If I do this, Firewall will keep send me alarm that other invalid IPs has
been detected through Localnet. Because the same host has been bound with two
different IPs. You may ask me, hey! are you stupid, why don't you add another
NIC card?! Believe me they already have 5 NIC cards installed on their system, I
don't want to add one more, they may not have more IRQ available! So that's why
I ask you guys if possible to turn off IP spoofing, then Firewall will not send
me the alarms for detecting invalid IPs.
It sounds crazy, I'm
sorry for taking your guys' time, but this is my real
situation.
Please advise
me!!!
Thanks!
Felix
|