Announcement

Collapse
No announcement yet.

Web Filter

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web Filter

    Hi,

    I have a fortinet 100a firewall and was testing to see if I can block a certain website. We have our own in-house IM and we don't want people using third-party web-sites to their IM (meebo.com). Nothing against meebo but we can't monitor anything if they are able to do this.

    Now our environment is setup kinda weird IMO.

    Our firewall was configured by our Network Engineer to into our switch then back out again. In other words, not all traffic is forced through our firewall.

    Please see attachment.

    So my question is, is traffic somehow bypassing the firewall with this setup like this?

    When I asked the guy who set it up why he did it this way, he stated, "It's the only way I know how" in case you ask why.
    Attached Files

  • #2
    Re: Web Filter

    Traffic could bypass your firewall with this setup. If a user knows the router ip address (which would be easy to find out by running tracert), then they could set their default gateway to be the router instead of the firewall and connect directly to the internet through the router. Also, your network is not really being protected from external intruders because the router connects directly to your LAN switch. IMHO all traffic outgoing and incoming should be forced to go through the firewall. I would connect things like this:

    Host-->Switch-->Firewall-->Router-->Internet

    Comment


    • #3
      Re: Web Filter

      Originally posted by joeqwerty View Post
      Traffic could bypass your firewall with this setup. If a user knows the router ip address (which would be easy to find out by running tracert), then they could set their default gateway to be the router instead of the firewall and connect directly to the internet through the router. Also, your network is not really being protected from external intruders because the router connects directly to your LAN switch. IMHO all traffic outgoing and incoming should be forced to go through the firewall. I would connect things like this:

      Host-->Switch-->Firewall-->Router-->Internet
      Yeah that is what logic told me along with friends that have similar jobs told me as well.

      I know all our users that get their DHCP configs have the firewall interface as thier gateway. The reason I ask is I am having trouble blocking certain websites on this firewall so I figured it was being bypassed some how.

      Hmm, I'll have to dig deeper.

      Thanks!

      Comment


      • #4
        Re: Web Filter

        Originally posted by Mudd View Post
        Our firewall was configured by our Network Engineer to into our switch then back out again. In other words, not all traffic is forced through our firewall.
        Is that switch divided into several VLANs? I do something similar to this at one office. A 24 Port switch is divided into two VLANs, one an external VLAN and the other is the internal VLAN. All external devices like the phone system, firewall, etc. are plugged into the switch's external VLAN ports. My firewall has one cable plugged into one side of the switch and the other cable plugged into the other side of the switch. Have you checked VLANs to see what the port assignments are? That will probably clarify the situation a bit.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Web Filter

          I didn't catch the VLAN aspect of the design when I commented earlier. Assuming that the VLAN's, firewall, and router are all configured correctly then in theory a user should not be able to circumvent the firewall to get to the internet. This doesn't in my opinion address the issue of inbound traffic having access to the LAN without transiting the firewall.

          I personally don't trust a configuration that doesn't force all inbound and outbound traffic to transit the firewall. I stand by my previous post rergarding how I would physically connect the network components. It would take a little reconfiguring of the router and firewall but if it were me it would make me feel better. Again, here's how I would layout the physical connections:

          Host-->Switch-->Firewall-->Router

          Comment


          • #6
            Re: Web Filter

            Originally posted by joeqwerty View Post
            This doesn't in my opinion address the issue of inbound traffic having access to the LAN without transiting the firewall.
            Hmmm... maybe I'm missing something. Let's take a look.

            Click image for larger version

Name:	VLANs.PNG
Views:	1
Size:	7.0 KB
ID:	464078

            The ports in red are in one VLAN (let's call it "EXTERNAL") and the ports in blue are in another VLAN ("INTERNAL"). The ISP connection hits your CSU/DSU and from there plugs into port 24. Now the remaining 5 ports can access the internet through that router. Now you take your firewall and plug it's WAN-facing port into port 23. To give the office LAN internet connectivity you then plug your firewall's LAN-facing port into port 1 of the switch which is on the "INTERNAL" VLAN. Now your LAN can access the internet. You can't use the CSU/DSU as your gateway from within the LAN for basic routing reasons. Nothing can traverse intothe LAN since it's operating under normal firewall design. Furthermore, you can then use the remaining ports in the "EXTERNAL" VLAN for other things and you can also use the switch's management features and data gathering tools on the external data flow (SNMP, sflow, netflow, etc.) . It's like a poor man's DMZ... sort of... only not. Just make sure that the "EXTERNAL" VLAN isn't the management VLAN.


            Originally posted by joeqwerty View Post
            I personally don't trust a configuration that doesn't force all inbound and outbound traffic to transit the firewall.
            Exactly. And in the case of a VLAN being used as your external switch with a firewall plugged into that everything would still have to go through the firewall as per normal behavior.

            Originally posted by joeqwerty View Post
            Host-->Switch-->Firewall-->Router
            That's pretty much how a setup using an external VLAN is too. Host-->Switch-->Firewall-->External VLAN-->Router. The external VLAN is just like an external switch.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: Web Filter

              Yeah, I'm not confused by the concept, I'm saying I don't trust it if there isn't actual physical separation. In theory the VLAN's should keep the external and internal networks separated, but as the VLAN's operate at a layer above the physical layer I don't trust them to be configured correctly, absolutely secured, error-free, etc. You're dealing with a single physical device using the same internal, shared switch fabric.

              I would only use this type of set up to segregate and secure internal networks and never to secure my internal network from the rest of the world, but that's just me... my wife thinks I have a touch of OCD so that might explain it.

              Comment


              • #8
                Re: Web Filter

                My brain now hurts...

                Comment


                • #9
                  Re: Web Filter

                  What in particular is bruising your gray matter?
                  Wesley David
                  LinkedIn | Careers 2.0
                  -------------------------------
                  Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                  Vendor Neutral Certifications: CWNA
                  Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                  Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                  Comment

                  Working...
                  X