[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Newcomer To Checkpoint
Sesh wrote: > I am new to CKP. Can anyone tell me how do I put a DMZ? Get a good book about firewall basics. Read it, after that read it again. Forget even thinking about implementation or a certain product unless you haven't understood basic firewall architectures. I'd recommend: Building Internet Firewalls, 2nd Edition By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman 2nd Edition June 2000, 1-56592-871-7, 890 pages, $49.95 http://www.oreilly.com/catalog/fire2/ > I have three NICs on the NT firewall. One NIC goes to the router, the > second to the internal LAN and the third is empty. When you build a DMZ this is one of the possibilities. > I am presently running the FTP server inside the firewall. No good. Put that into the DMZ. > The NICs have valid IP addresses. OK for two the three NIC. Use valid IP adresses in the DMZ and in the transfer net to the router. Use private IP adresses for the internal network. Set up NAT for the internal LAN. No external services are to be offered from the any machine in the internal network. All external traffic should pass the DMZ (for best results use application level proxies in the DMZ) The basic setup might look like this external router | |222.222.222.1/30 | | |222.222.222.2/30 (external) | | 222.222.222.5/29 FW-1 ---------------------------DMZ | |192.168.1.254/24 internal LAN | | it might also look like that: external router with paket filtering properly set up | |222.222.222.1/28 | | | |--------switch/hub---------DMZ Servers and proxies | |222.222.222.14/28 | 192.168.1.254/24 FW-1----------------------------internal LAN > Any help would be greatly appreciated and thanks in advance. Get professional help, if you can't set that up yourself. Serious security concepts are nothing for beginners. If you can afford Checkpoint Software, you can also afford a consultant, who knows what he's doing. The first thing he'll tell you will probably be that using NT for the firewall machine was not your best idea. Wolfgang -- Wolfgang Kueter Netzwerkadministration & Security SHLINK Internet Service http://www.shlink.de [email protected] Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany Telefon: +49 4121 269 006 Fax: +49 4121 269 007 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|