On 11/26/2015 07:43 AM, Alice Wonder wrote:
What I would like to do with it, I want to make sure it is possible and sane before I buy it.
In general, it's possible. It's sane if you want to study networking, but otherwise it's a little over the top.
Most of the time you just need three zones: untrusted, DMZ, and trusted. Each zone has full access to a zone of lower trust metric, but limited or none to more trusted networks. The internet is part of the untrusted zone, and guest WiFi networks typically are, too. The untrusted zone has limited access (in your case, via port forwards) to the DMZ. The DMZ can access the internet, but not the trusted zone. The trusted zone has mostly unlimited access to everything. All zones should have egress filtering to prevent sending malicious traffic, or at least traffic with a bad source address.
I'd agree with Steven that for study's sake, VLANs might be a better choice than multiple NICs for a few reasons: If you're studying networking for professional reasons, you *will* need some experience with VLANs. Managed switches can be fairly reasonable. I like the HP 1810-8G (or 16G, or 24G, depending on how many ports you need). If you use multiple interfaces on your firewall, you'll typically need switches for each one. If you use VLANs instead, you can dynamically assign ports to different broadcast domains.
As far as security goes, typically managed switches allow you to assign access to each VLAN per port. Because access to a virtual LAN is assigned to the port, and not to an IP address or MAC address, spoofing isn't generally a concern.
A will have a NAS. I can reach it from Internet (via port forwarding) and B and C (routing table) but from it, I can not connect to Internet or B, C, D. That network which likely will only have a few devices can not initiate connection to Internet or the other networks.
You're proposing that you set up hosts which are accessible by the internet (the least trusted zone) but don't have internet access to retrieve and apply security updates. That's not a good idea at all.
B is my trusted home network. It can connect to Internet (NAT) and to A (port forwarding) but can not reach C or D
That's possible, but iI can't think of a good reason to use port forwarding, there. NAT is a crutch to compensate for a lack of addresses in the IPv4 network. You should only use it when there's no other choice.
C is untrusted home network. Things like my TV and Bluray player that need Internet access but that I don't want to have the ability to reach anything on B, but I do want them to be able to talk to NAS on A via port forwarding. I'm always paranoid about those devices on my network, I don't trust what they are doing. Call it tin foil but I don't trust them. Yet they don't work right without access to Internet (updates / netflix)
I wouldn't argue that you should trust those devices. You definitely shouldn't. But consider what you're protecting. If you put them on the same network as the NAS, are you making it more exposed to attack? It's already connected to the internet. Are you protecting those devices from the NAS, if it gets compromised? If so, what would an attacker gain by targeting those devices? Or maybe the guest WiFi network would be a good fit for those devices.
I'd encourage you to think about that carefully, because if you start segmenting your network without a specific need to do so, you'll end up isolating each device individually.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
