+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, 2 networks, 1 firewall in Technical; I would appreciate your thoughts on the following: We are a boarding school and have 2 isolated networks, one for ...
  1. #1

    Join Date
    Nov 2005
    Posts
    95
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    2 networks, 1 firewall

    I would appreciate your thoughts on the following:

    We are a boarding school and have 2 isolated networks, one for the boarding houses to give pupils internet access and one for the academic side.

    They both have their own ADSL and hardware firewall (SonicWall). One the sonicWall boxes is quite old and will no longer be supported in a few months time so we are being sold a newer one, the other is much more current. However, one the techies from our support co. mentioned the newer one has the capability to handle both networks with the 2 ADSL feeds going in and the 2 networks out, seperated by the firewall rules.
    In addition, should one of the ADSL connections go down, both networks could draw a feed from the remaining one.

    My query is about the pheasability of this and how seperate are the 2 networks likely to be (ie. how secure)?

    While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.

    Also, I am trying to push CensorNet over Surfcontrol to save £££'s which has a software firewall built in. Would we still need a hardware firewall?

    Thanks for your comments.

    Richard.

  2. #2
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 190 Times in 143 Posts
    Rep Power
    54

    Re: 2 networks, 1 firewall

    Quote Originally Posted by Wizzer

    While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.
    We have boarders too and there is no way in the world I'd not have a firewall and filtering in place - even using their own machines it's the the school providing the internet connection and there has to be a duty of care there....
    mmmm...fault tolerent dsl - is there any need? What's your downtime like?

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,618
    Thank Post
    648
    Thanked 1,619 Times in 1,449 Posts
    Rep Power
    421

    Re: 2 networks, 1 firewall

    You could use censornet to provide filtering and access control and that can be run in a firewall mode or just as a proxy but it can't handle 2 seperate network as far as I know.

    I would have thought if a hardware sonicwall can support and seperate 2 networks then the seperation between them should be very secure otherwise it's a pants firewall you are paying for.

    Ben

  4. #4

    Join Date
    Jun 2005
    Location
    Leeds
    Posts
    113
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: 2 networks, 1 firewall

    Quote Originally Posted by Wizzer
    I would appreciate your thoughts on the following:

    We are a boarding school and have 2 isolated networks, one for the boarding houses to give pupils internet access and one for the academic side.

    They both have their own ADSL and hardware firewall (SonicWall). One the sonicWall boxes is quite old and will no longer be supported in a few months time so we are being sold a newer one, the other is much more current. However, one the techies from our support co. mentioned the newer one has the capability to handle both networks with the 2 ADSL feeds going in and the 2 networks out, seperated by the firewall rules.
    In addition, should one of the ADSL connections go down, both networks could draw a feed from the remaining one.

    My query is about the pheasability of this and how seperate are the 2 networks likely to be (ie. how secure)?

    While I'm typing this I'm wondering if we actually need a hardware firewall on the boarding network as the majority of machines are personally owned by pupils and should/could have software firewalls installed.

    Also, I am trying to push CensorNet over Surfcontrol to save £££'s which has a software firewall built in. Would we still need a hardware firewall?

    Thanks for your comments.

    Richard.
    Security wise it should be fine to share it through the same firewall - we use a sonicwall & have the wifi on a seperate segment to the main network.

    Though that's down to your own judgement and opinion - when I worked for the MOD, secure and non secure networks had to be seperate by at least a metre and couldnt be connected through any of the same devices - amusingly KVM's coulnt be used to connect a secure and non secure servers / pc.

    But yeah, I'd be fine with it - do some kind of risk asessment and justify it if you feel necessary. I would load balance for redundancy if you can tho.

    Sonicwall's are slightly new to me, and I'm not 100% impressed - but for the cost and ease of use they're hard to beat.

  5. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223

    Re: 2 networks, 1 firewall

    leaving aside the fact that it's a sonicwall*........

    What if the sonicwall goes down / titsup? Then neither network has adsl.
    What's the backup plan?
    You need a firewall in front of the kids machines.
    If student machines were connected to the Internet here, it would be on completely separate hardware - you don't want the firewall to choke on malware from the kids machines.

    Redundant adsl might be useful - every so often our connection goes down, usually not for long but enough for multiple support calls and lesson plans going out the window. Transparently routing around the problem with a redundant line is something we're looking into.

    *they _may_ have got better since I last had to use one

  6. #6

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324

    Re: 2 networks, 1 firewall

    There's not really much point in having more than one DSL line for redundancy - if a DSL line fails, it is usually at exchange level and will therefore affect both lines. However, where having more than one DSL line does come in handy, is a "bonded" connection, where the two lines are combined for a larger throughput. This, however, is only supported but a small handful of ISPs. And depending on which firewall and/or router you use, you can throttle bandwidth by IP range and/or service ports.

  7. #7

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,611
    Thank Post
    1,496
    Thanked 1,051 Times in 920 Posts
    Rep Power
    303

    Re: 2 networks, 1 firewall

    One thign that I have looked at in the past with ADSL lines is, as webman has said the faults are often at exchange level, but if you get 2 ADSL lines, use 2 different suppliers, ensure they are not a subsidurey go ro complete different firms EG get one from Claranet and one from Freedom2Surf or something like that, then if the ISP has a major network issue then you have a good chance of still having an ADSL line if its the ISPs issue. If you did this keep an eye on mergers etc and migrate if needed as smaller firms are constantly being merged.

    Also if you are in a large town / city and your Internet is importatint to you see if you are in range of 2 exchanges as BT will normally for a fee of course run you one line from each exchange so if one has issues the other may still be ok, thats how a lot of big firms get good redundancy on critical leased lines, phone systems etc, get a few from different exchanges so if one goes down the other survives etc...

  8. #8

    Join Date
    Nov 2005
    Posts
    95
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: 2 networks, 1 firewall

    Thank you all for your thoughts. The redundant ADSL thing was only really a by-product of using one hardware firewall. The main driving force was trying to save the money upgrading our older firewall when we already have one that could potentially do the job (our ADSL did seem to go down a lot but we have recently switch providers and so far all seems OK).

    Quote Originally Posted by plexer
    You could use censornet to provide filtering and access control and that can be run in a firewall mode or just as a proxy but it can't handle 2 seperate network as far as I know.
    It wouldn't need to handle 2 physical networks as the other one would have the newer SonicWall that we currently own.
    It would however need to handle multiple VLANs (one for each boarding house). Not sure if this would work. SurfControl has had to be tricked into thinking the server has 8 NICs installed to work properly!

    Quote Originally Posted by plexer
    I would have thought if a hardware sonicwall can support and seperate 2 networks then the seperation between them should be very secure otherwise it's a pants firewall you are paying for.
    My thoughts too. My concern is if dodgy stuff coming from kids' machines (which we obviously have no control over what they install) upset the firewall and screwed up things for both boarders and academic.

    I think I've come to the conclusion we probably need 2 firewalls, but maybe Censornet will suffice on the boarder network if it can handle VLANs.

  9. #9

    Join Date
    Nov 2005
    Posts
    95
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: 2 networks, 1 firewall


  10. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 849 Times in 671 Posts
    Rep Power
    196

    Re: 2 networks, 1 firewall

    One answer to this is SmoothWall's Advanced firewall - it can handle 2 (or more) external connections, and load balance between them, failing over as necessary in the event of failure (we use easynet and bulldog here, and have never had a "complete" outage - have to specify a DNS server that does not rely on the ISP though). It can also perform web content filtering on the same box, and present two entirely separate (although not 1 metre!!) networks internally, with their own rules.

    Internal networks by default have NO access to one another. Accesses can be added as and when needed.

    Finally, in response to the "what to do when the firewall goes dead" brigade - there are two possibilities - backup (Smoothwall being a software appliance will go back over any server), or true hardware failover with a "heartbeat".

    We also do competitor upgrades for sonicwall - even out of date models!

    Tom on 0113 3874160 for more info

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: 2 networks, 1 firewall

    have to specify a DNS server that does not rely on the ISP though
    Consider OpenDNS.

    www.opendns.com

SHARE:
+ Post New Thread

Similar Threads

  1. Boston Networks? Anyone used them?
    By contink in forum Recommended Suppliers
    Replies: 1
    Last Post: 22nd December 2007, 03:05 PM
  2. Flat Networks
    By Tiger in forum Windows
    Replies: 40
    Last Post: 26th November 2007, 02:05 PM
  3. CC3 networks
    By Kyle in forum Wireless Networks
    Replies: 7
    Last Post: 8th March 2007, 11:42 AM
  4. mac networks
    By choran in forum Mac
    Replies: 0
    Last Post: 21st February 2006, 11:03 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •