Basics, where to put firewall in the network

Toggle sidebar Toggle sidebar
M

masashi123

Commendable
Dec 15, 2017
10
0
1,510
Hello,
I hope I've chosen right forum department. I'm quite new to the topic and I need some help with understanding the basics of placing firewall in the network.
I have been assigned to a task of creating an example network including FortiGate firewall in GNS3. I managed to get FortiGate VM, gained access to web management by assigning an ip address to one of the ports and I have run out of ideas of what to do next.
My goal is to connect firewall and PC to one router on separate links (?). The PC is supposed to be the protected by the firewall on which I am going to create some example policies, filters etc. Also, PC should be directly accessible from outside of the router.

As far as I know, there is no way to make something like this: PC --- FW --- Router without setting up NAT on FW (PC would be unaccessible then). Because of that, I came up with an idea of connecting FW and PC directly to the router (so PC -- Router -- FW and the rest of the network connected to the router) and the thing is that I don't know how to set it all up now.

In another words, all traffic which comes to the router interfaces with destination ip address set on this PC, should be filtered, and then sent to this PC. And the same with opposite direction. Does it make sense at all? Are there any other ways to do this?

Sorry for asking kind of newbie questions but I've spent lots of time online looking for the solution and didn't find any satisfying one.

Thank you for any tips
Regards
 
A firewall is a border device.

ISP->router->firewall->devices.
Of course, this depends completely on what "firewall" you are using.

And unless you really know what you're doing, you don't run the 'firewall' in a VM.

Is this a business setup?
A homework setup?
A residential setup?
 
It's a school project, so it doesn't have to be neither professional nor safe. I just want to filter any traffic that is coming to this PC from the network and from this PC to the network. And that's all. Is the scheme you posted required here?

As I said, I'm new to firewalls, so I don't know what you meant in that part "Of course..". It's a FortiGate VM and everything is created in network simulator GNS3 (a few routers, hosts and FW).
 


The basic question is....what physical box is this firewall running on?
 
What exactly do you mean by the physical box? A laptop or a virtual machine (parameters?) or something else? Problems with understanding the vocabulary, eh, sorry..
 


A Virtual Machine (VM), is a guest 'system' in a host.
If you run the firewall in a guest VM on the host of another OS...all traffic still touches the host.
Unless you are very careful in how you configure this.
And some viruses, which would otherwise be captured by the firewall, can recognize that they are in a VM, and act accordingly.

A physical box would be a whole other actual PC or laptop.
 
It is a physical device in any real world install. The better devices have hardware accelerator chips for various functions.

When you are running simulators then your options for placement is likely limited in some ways.
 
USAFRet
Thank you for the explanation.

I run the whole simulation (including FW) on a laptop with Xubuntu 16.04 installed. I am not afraid of viruses because I haven't had one since installing Linux, so that's not a problem. I am fully aware of the danger.

The thing is that I don't get why is my 'physical box' so important here. I just want to keep it as simple as possible (I mean firewall placement).



bill001g
Yes, I know it is but using VM just suits my needs. I am not building real network with connection to the internet, just a simple simulation with basic firewall functions. So I'd say that those limitations doesn't really matter because my 'only' limitation is RAM and number of VMs I can handle on the laptop :)
 


If this were a real world deployment, you'd do things differently.

Since this is a class assignment in a simulated environment, things are different.


Conceptually:
ISP->router->firewall->devices.
 
I agree with that. So what would you recommend to my simulation? Is there any other way?

As I said, it would be great if the PC 'protected' by the firewall would be directly accessible from the network, not behind the NAT (in your concept PC=devices, so it is behind the NAT looking from ISP point of view).

Or is that possible to configure firewall in a way in which PC is one of those devices? In my opinion that's impossible.
 
That's the whole point of the firewall...to be a traffic cop between the PC and the wider world.

The NAT is done by a DHCP server. Either in the router, or some functionality in the firewall device.
This give internal IP addresses to all your devices.
 
So, to sum up a little bit, the only solution is to build something like:
PC -- FW -- Router -- rest of the network and NAT on either Router or FW?
 


Data flow:
Outside world/ISP->Router->FW->devices
or
Outside world/ISP->FW->Router->devices

Either way, depending on what you want the Firewall to do.
Either the router or the Firewall can do DHCP duty. But not both.
 
Well, that is not the best answer for me.. If the PC has to be behind the NAT, that quite strongly limits my possibilities with testing the network and the firewall or at least I think so. So how to test firewall policies (it may be almost anything which is maybe.. not too complicated) and settings in such environment? I should create some http server and dns that this PC by the firewall could try to connect to? The simplest policies to set (pinging between PC behind the firewall and in the rest of the network) are ruled out cause of NAT or is there any way?
 


This is when you have another system, that bypasses the firewall. Just for testing.

ISP-Router-Firewall-PC
ISP-Router-PC

What happens?
 
There is a problem, because second option guarantees direct link between PC and the router which knows what to do with the traffic and does NAT. Everything is just standard. Router knows route to ISP which knows routes to all outside networks.

In the first one, there is no such connection, and that is something I don't understand yet because it's directly connected to the IP addressing the whole thing - of course it can also be my misconception since I'm new to the topic. What about PS'c gateway address? Router's or firewall's interface?
 


So then have the 'firewall' do only firewall things. It is a filter.

The Router does all the DHCP stuff, to serve internal IP addresses.

The firewall sits between, and fliters out malware, etc.
 
So if that is a filter as you just said, assigning IP addresses on ports shouldn't be necessary in basic use as long as you don't enter web management which requires some address. In that case, PC's gateway address should be router's interface address and firewall with ports connected to PC and the router but with no addresses assigned (PC -- FW -- Router -- ISP config). Am I finally right? :)
 


Yes, it can work that way.
 
Ok, so thank you veeery much for your help. I know I wasn't the best interlocutor but it seems to me that I finally started to understand what it's all about.
Could I ask you here anything else if I need to in the next few days?

It's almost half past 2am in my location so it's time to get some sleep and get back to work tomorrow.
Again, thank you and good night.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom