[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Advice required. Design of a fw architecture

To: [email protected]
Subject: Re: [FW-1] Advice required. Design of a fw architecture
From: Anuska Arag�n Fern�ndez <[email protected]>
Date: Mon, 16 Sep 2002 16:23:05 +0200
Organization: Universidad de La Rioja
References: <[email protected]> <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Perhaps I haven't explained it correctly. I don't mean the firewall to
deal with vlan. I left this work to the switch. The firewall is supposed
to have a different interface for each vlan.
In this case, I don't think the firewall has to known about vlan
tagging.  Am I missing something?

Regarding Nokia, I've discard them mainly for price and also because I
don't like very much black boxes. Is there any advantage in them?

Greetings.

Alberto Salerno wrote:

>Hallo,
>
>As far as I know vlan tagging and trunking is not supported by Check Point FW-1
>(except in the VSX version).
>
>Moreover, the underlying operating system must also support VLAN tagging in
>order to work.
>
>If I'm right, Nokia is offering something in this field with IPSO 3.6 (3.5 was
>also offering those fetures, but 3.6 brings lots of fixes for vlan trunking and
>Gigabit Ethernet).
>
>Nevertheless, this is also an hybrid solution: Check Point on Nokia does not
>understand VLAN tagging (exception VSX recently released for Nokia) and you
>have to configure ACL at IPSO level.
>
>So maybe not the best solution (and quite expensive due to VSX), but should
>work.
>
>Remember that valan is not a security feature! If you are seriuosly interested
>in security and vlan take a look at the SecureVLAN (or something like that)
>concept of Cisco, which offers "physical" vlan separation but at an
>astronomical price (e.g. using CAT6500).
>
>Concerning clustering. With IPSO 3.6 Nokia is offering Check Point HA, which is
>not as refined as StoneBeat but should at least work.
>
>Hasta Luego.
>
>Alberto
>
>Scrive Anuska Arag�n Fern�ndez <[email protected]>:
>
>
>
>>Hello all,
>>
>>In our University we are planning a firewall configuration like this one:
>>
>>                    |
>>                    | 35 Mbps
>>                    |
>>                ISP Router
>>                    |
>>                    | 20 Mbps
>>                    |
>>                 -------
>>vlan 1 -------- |       | -----DMZ1 (external servers www, ldap, dns, ...)
>>                |  fw1  |
>>vlan 2 ---------|       |------DMZ2 (other departmental external servers)
>>(2000)           -------
>>                    |
>>                    | Internal Servers (dns, www, ldap, nfs, ...)
>>                    |
>>                 -------
>>                |       |
>>vlan 3 ---------|  fw2  | ------- BD servers
>>(500)           |       |
>>                 -------
>>
>>Different users are grouped in vlans depending on their profile. Each vlan
>>has his own dns server (secondary), dhcp server, and  a web proxy cache
>>server.
>>Students are in vlan1, professors in vlan2 and administrative staff in vlan3.
>>This vlans are isolated between themselves (at least for the moment, although
>>we have to plan for exceptions).
>>
>>Access to BD servers is performed only from people in vlan3 and from the
>>internal web server.
>>
>>External servers are relays to our internal servers.
>>
>>We have many doubts about where to put mail server(s). We think we should put
>>antivirus server in the DMZ.
>>
>>Fw1 and fw2 will be clusters. We are thinking in StoneBeat FullCluster, any
>>comments?
>>
>>We have been told that fw1 will not support all the traffic, because it will
>>have to do also a great amount of internal routing, but we don't want to mix
>>routers in the architecture because we want to control all traffic from a
>>single point.
>>
>>Another discussion we have is where to put people from computer center (us).
>>Should we have another vlan?
>>
>>Any suggestion or advice will be greatly appreciated. If you think we are
>>missing something, and also, if you think we are doing something (or
>>everything) wrong we'll thank very much you comments.
>>
>>Greetings,
>>
>>
>>
--
A n u s k a     A r a g � n
Servicio Inform�tico              e-mail: [email protected]
Universidad de La Rioja           Tf.:    +34 941 299233
Av. de La Paz 93, 26004 Logro�o   Fax:    +34 941 299180

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Advice required. Design of a fw architecture
  - From: Alberto Salerno <[email protected]>

References:
- [FW-1] Advice required. Design of a fw architecture
  - From: Anuska Arag�n Fern�ndez <[email protected]>
- Re: [FW-1] Advice required. Design of a fw architecture
  - From: Alberto Salerno <[email protected]>

Prev by Date: [FW-1] build numbers
Next by Date: Re: [FW-1] Page fault
Prev by thread: Re: [FW-1] Advice required. Design of a fw architecture
Next by thread: Re: [FW-1] Advice required. Design of a fw architecture
Index(es):
- Date
- Thread