[CentOS] Networking Question
Gordon Messmer
gordon.messmer at gmail.com
Fri Nov 27 19:56:37 UTC 2015
On 11/26/2015 07:43 AM, Alice Wonder wrote:
> What I would like to do with it, I want to make sure it is possible and
> sane before I buy it.
In general, it's possible. It's sane if you want to study networking,
but otherwise it's a little over the top.
Most of the time you just need three zones: untrusted, DMZ, and
trusted. Each zone has full access to a zone of lower trust metric, but
limited or none to more trusted networks. The internet is part of the
untrusted zone, and guest WiFi networks typically are, too. The
untrusted zone has limited access (in your case, via port forwards) to
the DMZ. The DMZ can access the internet, but not the trusted zone.
The trusted zone has mostly unlimited access to everything. All zones
should have egress filtering to prevent sending malicious traffic, or at
least traffic with a bad source address.
I'd agree with Steven that for study's sake, VLANs might be a better
choice than multiple NICs for a few reasons: If you're studying
networking for professional reasons, you *will* need some experience
with VLANs. Managed switches can be fairly reasonable. I like the HP
1810-8G (or 16G, or 24G, depending on how many ports you need). If you
use multiple interfaces on your firewall, you'll typically need switches
for each one. If you use VLANs instead, you can dynamically assign
ports to different broadcast domains.
As far as security goes, typically managed switches allow you to assign
access to each VLAN per port. Because access to a virtual LAN is
assigned to the port, and not to an IP address or MAC address, spoofing
isn't generally a concern.
> A will have a NAS. I can reach it from Internet (via port forwarding)
> and B and C (routing table) but from it, I can not connect to Internet
> or B, C, D. That network which likely will only have a few devices can
> not initiate connection to Internet or the other networks.
You're proposing that you set up hosts which are accessible by the
internet (the least trusted zone) but don't have internet access to
retrieve and apply security updates. That's not a good idea at all.
> B is my trusted home network. It can connect to Internet (NAT) and to A
> (port forwarding) but can not reach C or D
That's possible, but iI can't think of a good reason to use port
forwarding, there. NAT is a crutch to compensate for a lack of
addresses in the IPv4 network. You should only use it when there's no
other choice.
> C is untrusted home network. Things like my TV and Bluray player that
> need Internet access but that I don't want to have the ability to reach
> anything on B, but I do want them to be able to talk to NAS on A via
> port forwarding. I'm always paranoid about those devices on my network,
> I don't trust what they are doing. Call it tin foil but I don't trust
> them. Yet they don't work right without access to Internet (updates /
> netflix)
I wouldn't argue that you should trust those devices. You definitely
shouldn't. But consider what you're protecting. If you put them on the
same network as the NAS, are you making it more exposed to attack? It's
already connected to the internet. Are you protecting those devices
from the NAS, if it gets compromised? If so, what would an attacker
gain by targeting those devices? Or maybe the guest WiFi network would
be a good fit for those devices.
I'd encourage you to think about that carefully, because if you start
segmenting your network without a specific need to do so, you'll end up
isolating each device individually.
More information about the CentOS
mailing list