2 networks, 1 firewall

[Wizzer]

I would appreciate your thoughts on the following:

We are a boarding school and have 2 isolated networks, one for the boarding houses to give pupils internet access and one for the academic side.

They both have their own ADSL and hardware firewall (SonicWall). One the sonicWall boxes is quite old and will no longer be supported in a few months time so we are being sold a newer one, the other is much more current. However, one the techies from our support co. mentioned the newer one has the capability to handle both networks with the 2 ADSL feeds going in and the 2 networks out, seperated by the firewall rules.
In addition, should one of the ADSL connections go down, both networks could draw a feed from the remaining one.

My query is about the pheasability of this and how seperate are the 2 networks likely to be (ie. how secure)?

While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.

Also, I am trying to push CensorNet over Surfcontrol to save £££'s which has a software firewall built in. Would we still need a hardware firewall?

Thanks for your comments.

Richard.

[Netman]

While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.

We have boarders too and there is no way in the world I'd not have a firewall and filtering in place - even using their own machines it's the the school providing the internet connection and there has to be a duty of care there....
mmmm...fault tolerent dsl - is there any need? What's your downtime like?

[plexer]

You could use censornet to provide filtering and access control and that can be run in a firewall mode or just as a proxy but it can't handle 2 seperate network as far as I know.

I would have thought if a hardware sonicwall can support and seperate 2 networks then the seperation between them should be very secure otherwise it's a pants firewall you are paying for.

Ben

[Alex]

I would appreciate your thoughts on the following:

We are a boarding school and have 2 isolated networks, one for the boarding houses to give pupils internet access and one for the academic side.

They both have their own ADSL and hardware firewall (SonicWall). One the sonicWall boxes is quite old and will no longer be supported in a few months time so we are being sold a newer one, the other is much more current. However, one the techies from our support co. mentioned the newer one has the capability to handle both networks with the 2 ADSL feeds going in and the 2 networks out, seperated by the firewall rules.
In addition, should one of the ADSL connections go down, both networks could draw a feed from the remaining one.

My query is about the pheasability of this and how seperate are the 2 networks likely to be (ie. how secure)?

While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.

Also, I am trying to push CensorNet over Surfcontrol to save £££'s which has a software firewall built in. Would we still need a hardware firewall?

Thanks for your comments.

Richard.

Security wise it should be fine to share it through the same firewall - we use a sonicwall & have the wifi on a seperate segment to the main network.

Though that's down to your own judgement and opinion - when I worked for the MOD, secure and non secure networks had to be seperate by at least a metre and couldnt be connected through any of the same devices - amusingly KVM's coulnt be used to connect a secure and non secure servers / pc.

But yeah, I'd be fine with it - do some kind of risk asessment and justify it if you feel necessary. I would load balance for redundancy if you can tho.

Sonicwall's are slightly new to me, and I'm not 100% impressed - but for the cost and ease of use they're hard to beat.

[pete]

leaving aside the fact that it's a sonicwall*........

What if the sonicwall goes down / titsup? Then neither network has adsl.
What's the backup plan?
You need a firewall in front of the kids machines.
If student machines were connected to the Internet here, it would be on completely separate hardware - you don't want the firewall to choke on malware from the kids machines.

Redundant adsl might be useful - every so often our connection goes down, usually not for long but enough for multiple support calls and lesson plans going out the window. Transparently routing around the problem with a redundant line is something we're looking into.

*they _may_ have got better since I last had to use one

[webman]

There's not really much point in having more than one DSL line for redundancy - if a DSL line fails, it is usually at exchange level and will therefore affect both lines. However, where having more than one DSL line does come in handy, is a "bonded" connection, where the two lines are combined for a larger throughput. This, however, is only supported but a small handful of ISPs. And depending on which firewall and/or router you use, you can throttle bandwidth by IP range and/or service ports.

[john]

One thign that I have looked at in the past with ADSL lines is, as webman has said the faults are often at exchange level, but if you get 2 ADSL lines, use 2 different suppliers, ensure they are not a subsidurey go ro complete different firms EG get one from Claranet and one from Freedom2Surf or something like that, then if the ISP has a major network issue then you have a good chance of still having an ADSL line if its the ISPs issue. If you did this keep an eye on mergers etc and migrate if needed as smaller firms are constantly being merged.

Also if you are in a large town / city and your Internet is importatint to you see if you are in range of 2 exchanges as BT will normally for a fee of course run you one line from each exchange so if one has issues the other may still be ok, thats how a lot of big firms get good redundancy on critical leased lines, phone systems etc, get a few from different exchanges so if one goes down the other survives etc...

[Wizzer]

Thank you all for your thoughts. The redundant ADSL thing was only really a by-product of using one hardware firewall. The main driving force was trying to save the money upgrading our older firewall when we already have one that could potentially do the job (our ADSL did seem to go down a lot but we have recently switch providers and so far all seems OK).

You could use censornet to provide filtering and access control and that can be run in a firewall mode or just as a proxy but it can't handle 2 seperate network as far as I know.

It wouldn't need to handle 2 physical networks as the other one would have the newer SonicWall that we currently own.
It would however need to handle multiple VLANs (one for each boarding house). Not sure if this would work. SurfControl has had to be tricked into thinking the server has 8 NICs installed to work properly!

I would have thought if a hardware sonicwall can support and seperate 2 networks then the seperation between them should be very secure otherwise it's a pants firewall you are paying for.

My thoughts too. My concern is if dodgy stuff coming from kids' machines (which we obviously have no control over what they install) upset the firewall and screwed up things for both boarders and academic.

I think I've come to the conclusion we probably need 2 firewalls, but maybe Censornet will suffice on the boarder network if it can handle VLANs.

[Wizzer]

Looks like it can:
http://forum.censornet.com/viewtopic...b5fefd490d3289

[tom_newton]

One answer to this is SmoothWall's Advanced firewall - it can handle 2 (or more) external connections, and load balance between them, failing over as necessary in the event of failure (we use easynet and bulldog here, and have never had a "complete" outage - have to specify a DNS server that does not rely on the ISP though). It can also perform web content filtering on the same box, and present two entirely separate (although not 1 metre!!) networks internally, with their own rules.

Internal networks by default have NO access to one another. Accesses can be added as and when needed.

Finally, in response to the "what to do when the firewall goes dead" brigade - there are two possibilities - backup (Smoothwall being a software appliance will go back over any server), or true hardware failover with a "heartbeat".

We also do competitor upgrades for sonicwall - even out of date models!

Tom on 0113 3874160 for more info

[Geoff]

have to specify a DNS server that does not rely on the ISP though

Consider OpenDNS.

www.opendns.com