slacker_x
08-15-2001, 04:23 PM
This is sort of related to my other post here: http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=13&t=004973
I am writing a report on a possible alternative to our current network setup (at the company I work for).
The current setup has multiple sites connected on a frame relay network. All of the web browsers are configured to use the proxy server at the head office so they can access the Internet.
The problems with this setup are:
- the firewall/proxy server is leased and fairly expensive
- bandwidth between offices is limited and expensive
Here is my possible solution:
each site gets a box that will act as a firewall. The firewalls do NAT so that the clients on the LAN have Internet access. The firewalls runs FreeS/WAN so that sites can communicate information securely amongst themselves. The firewalls runs squid to cache information and monitor web traffic.
What do you think of my solution vs the current setup?
A couple of questions I have about my setup:
- how does the proxy work? Do you redirect all packets with an IP on the Internet and a destination port of 80 to the port that the proxy is running on on the firewall? If so, how does the proxy know where the packet is supposed to go since we just changed its destination?
- Does FreeS/WAN introduce a lot of latency? If I ping other sites right now, typical response times are 20-70 ms depending on which site I ping.
Can someone give me a basic explanation of how FreeS/WAN works?
I know this is a lot I'm asking for, but I don't need a detailed explanation. Just a rough overview of where things get encrypted and how addresses are translated. I have a fairly good understanding of how regular NAT would work.
---UPDATE---
How is this for an explanation of a packet travelling between two sites.
- client sends packet to firewall
- firewall sees that destination is on other LAN and sends the packet to the FreeS/WAN program
- FreeS/WAN encrypts the data
here is where I'm a bit hazy...obviously the packet can't get sent out to the Internet with a non-routable source and destination. Does the FreeS/WAN application embed the source and destination in the data and then repackage it the destination of the other firewall? The packet would then be NATed by the first firewall. FreeS/WAN would accept the incoming packet and decrypt it and extract the correct source and destination and then forward it on to the regular firewall rules
Am I heading in the right direction here or am I way off?
Thanks A bunch
[ 15 August 2001: Message edited by: slacker_x ]
I am writing a report on a possible alternative to our current network setup (at the company I work for).
The current setup has multiple sites connected on a frame relay network. All of the web browsers are configured to use the proxy server at the head office so they can access the Internet.
The problems with this setup are:
- the firewall/proxy server is leased and fairly expensive
- bandwidth between offices is limited and expensive
Here is my possible solution:
each site gets a box that will act as a firewall. The firewalls do NAT so that the clients on the LAN have Internet access. The firewalls runs FreeS/WAN so that sites can communicate information securely amongst themselves. The firewalls runs squid to cache information and monitor web traffic.
What do you think of my solution vs the current setup?
A couple of questions I have about my setup:
- how does the proxy work? Do you redirect all packets with an IP on the Internet and a destination port of 80 to the port that the proxy is running on on the firewall? If so, how does the proxy know where the packet is supposed to go since we just changed its destination?
- Does FreeS/WAN introduce a lot of latency? If I ping other sites right now, typical response times are 20-70 ms depending on which site I ping.
Can someone give me a basic explanation of how FreeS/WAN works?
I know this is a lot I'm asking for, but I don't need a detailed explanation. Just a rough overview of where things get encrypted and how addresses are translated. I have a fairly good understanding of how regular NAT would work.
---UPDATE---
How is this for an explanation of a packet travelling between two sites.
- client sends packet to firewall
- firewall sees that destination is on other LAN and sends the packet to the FreeS/WAN program
- FreeS/WAN encrypts the data
here is where I'm a bit hazy...obviously the packet can't get sent out to the Internet with a non-routable source and destination. Does the FreeS/WAN application embed the source and destination in the data and then repackage it the destination of the other firewall? The packet would then be NATed by the first firewall. FreeS/WAN would accept the incoming packet and decrypt it and extract the correct source and destination and then forward it on to the regular firewall rules
Am I heading in the right direction here or am I way off?
Thanks A bunch
[ 15 August 2001: Message edited by: slacker_x ]