• United States

Protecting one LAN from another

Oct 14, 20023 mins
Network SecurityNetworking

I have worked with several firewalls and have not seen one that is focused on protecting one LAN from another LAN. The caveat is that both LANs would need access to the Internet via some additional firewall located on another segment.

The firewalls I have worked with assume that you will access the Internet via the existing WAN port on the firewall. If you don’t want to do this, that is, you want to push them toward another firewall to go on the Internet, it fails. I realize you can do this with a router and two LAN ports, but I am interested in the door knob twists and reporting. I was wondering if anyone is deploying this kind of scenario and what product(s) they might be using.

— Chip Gerald

What you are asking to do is becoming more and more common. You have to protect from hackers from inside your network as well as outside of your network. Novell has shown this as one way to use their Border Manager firewall product for several years.

The main thing that you need to do is to turn off NAT (Network Address Translation) on the firewall servicing a LAN to LAN segment on your network and let it act as the router that it essentially is.

Once you have NAT turned off, make sure that each side of the network can talk to the other. This part has to be working right or when you go to the next step which involves putting filters in place to allow only the traffic through that you want on a particular segment.

Doing packet filtering, where you only allow the traffic in and out that you want is an area to proceed carefully in.

I cannot stress strongly enough that if you don’t know how to use a protocol analyzer now, spend the time before trying to do packet filtering with a firewall. For standard applications such as SMTP, WWW, etc., you won’t need an analyzer to help you setup the filters as a general rule. Where it will come in handy is when you have special applications from companies such as banks that are using different port numbers or use port numbers that can shift.

As to specific product recommendations, talk to the individual vendors themselves to see if they can operate in that environment. You should be able to use vendors such as Cisco, Nortel and Novell to mention just a few of the possibilities that are available.

You can expect to find a wide variety when it comes to reporting. Some vendors will give you a text file that you will have to sift through, where others may be able to talk to a syslog server where you can have a little more control over how the output is formatted.