DMZ with commodity firewall

We have a couple of DMZs set up with Firewalls such as NetGear and Linksys to separate the subnets.

The problem is that these are Firewall/Dsl Routers that are intended to route information from your local network to the Internet that also have firewall functions.

The Wan side has a gateway that is usually the DSL Router.

You can usually set up the Firewall as Standard or Nat. With standard the Lan and Wan have to be the same sub net. With Nat the Wan is the ISPs Router address (public) and the Lan is your private network.

In my case, I want to use Firewall inside the private network where both the Lan and Wan would have private addresses but each would be a public address.

So on my Protected network I would have all my user machines on the 10.0.0.X network and my DMZ that has my Sql Servers would be on the 10.0.3.X network.

I don't know if it matters which side has Lan or Wan interface. But what about the Gateway address. I have it set up at the moment as:

Wan:
IP Address:10.0.0.251
Mask: 255.255.255.0
Gateway: ?

Lan:
IP Address: 10.0.3.251
Mask: 255.255.255.0

Sql Server IP Address: 10.0.3.2
My workstation: 10.0.0.25

I am assuming that Nat needs to be set for this to work. But in the Internet world you would not be able to accesses an address in the private network directly. Only in response to a request. So there would need to be a request from the Private address first to the Internet and the Internet would respond. But not the other way round.

Since I am Natting here, wouldn't I have the same problem? Is there a way to make this work with these types of Firewalls?

We have a Checkpoint Firewall that does this great. But that is too expensive for us here in this scenario.

The key to nearly all of this is that as you say these devices are designed for a private network accessing the internet. As such they have a 'default philosophy' that anything on the private LAN can initiate connections to the internet unless explicitly denied in the rules, and anything initiated from the outside is blocked unless explicitly permitted in the rules. It depends on the specifics of the device, but it's likely that the NAT has been implemented with this in mind. I've used Allied Telesyn devices here and they do work, but I had to sit down and break my brain trying to figure out which side needed to be the 'public' and which the 'private' first. Bear all this in mind, and don't be surprised if you come across a few limitations in the way it works

I agree.

That is what is driving me buggy. At the moment we are using a NetGear FVS114 Firewall. We think it is causing us problems so I was looking at a SonicWall Soho3. But after reading the document on the Netgear - it talks about Internet Sharing Firewalls where requests from the outside are discarded. Only packets that come from the outside as a response are accepted. On the Netgear, this is also the case unless you have a rule set up to accept requests by service (such as port 80 - http).

I don't know if this normal or not but one of the things required is a Gateway. I would assume that a normal non-internet sharing firewall wouldn't have a Gateway as you are only routing packets from one subnet to another (no Nat).

I am not sure if the SonicWall does this or not. If not, I will need to look elsewhere. I was looking at that as I happen to have one.

I suppose it serves us right for trying to be thrifty. When you read the publicity material on these cheap boxes it sounds as if they can do everything, and there's certainly no mention of limitations. However I've learned to look for the clues now, when the opening paragraphs contian something like "designed for the small office / home office environment..." then I know I'm likely to have problems if I deploy it into a commerical network. That's not to say they won't work - my cheap ATI firewall/routers do the job but I was sweating at first thinking "oh dear; this is not going to work...". My recommendation would be to run a test - get a sample from the manufacturer and test the proposed configuration with a promise you'll buy one if it does the job

Testing is defiantly a great suggestion to ensure compatibility within your own environment.

All that i would add to this thread is to consider support options on the cheaper/lower end equipment. It will all depend on the environment you are installing it in and how much potential downtime you can withstand.

Cheers

I agree.

I plan to do some testing with the SonicWall (since I have it) but I was also thinking about getting a router to do job instead of the firewall.

I was looking at a Cisco 800 series router - but it has only one Wan port and it is ADSL - so the question is will I have the same type of problem in that it may be an Internet Sharing Firewall where the routing that is done is Nating only.

The other possibly an 1841 which I can get for about $271.