 
            My current network is a hybrid of the below A and B and also not yet finished. I suppose it is most like B with the firewall and router split in two boxes and the router only having one NICE. The plan is to get to Picture A and build the honeypot at some later time. You do bring up a good point about the bypassing of the router. This is addressed with iptables on the firewall. It will only alot outgoing traffic from the router. The only way to the firewall is the console or ssh from the router. Also the fw is a 166 (i know thats overkill for a basic Linux firewall) The router runs internal dhcp and dns, external and internal webservers and email and imap an squid. They will all be split if the scalibiltiy is needed. For now, they all have cname alias' so the hostnames are at least unique.
Actual topoligy: +----------+ | internet | +----------+ | | firewall +------------+ | 10.1.1.1 | +------------+ | | +-----------+ | 10.1.1.2 | router | | (one nic) +-----------+ | | +----------+ | localnet | (switch 2) +----------+
=========== If the firewall is compromised there is no way to prevent any computer connected to any network that has internet access from being attacked no matter how elegant your network design. I find the it is better to use a simple network plan from a safe-yourself-headaches perspective.
I much prefer this type of set up
+----------+ | internet | +----------+ | | firewall honeypot +------------+ +-----------+ | 10.1.1.1 | ------ | 10.1.1.10 | (switch 1) +------------+ +-----------+ | | +-----------+ | 10.1.1.2/ | router | 172.1.1.1 | (two nics) +-----------+ | | +----------+ | localnet | (switch 2) +----------+
Picture A
However, I do not have a honeypot currently and hence no need to seperate the firewall and router, thus negating the need for two switches. Also, I use my firewall/router as the gateway so one of the two nics has a real world ip and the other is to the local lan.
From what I can see of the network here described the
firewall is the gateway to the internet, but there is something meissing from the description. I see the router as a useless box on the network and any pc connected to the network can bypass the router and route directly through the firewall.
This is the network I see described.
(internet) ---- (cablemodem) | | [ real ip addr ] (gateway/firewall?) [10.1.1.1] | __________|_____________________ | | | 10.1.1.30 10.1.1.10 10.1.1.2 host 1 host 3 host 2 (router)
Picture B
Now an intelligent ip protocol will bypass the router once it has found the gateway, so traffic only goes through the router the first time. Correct me if I'm wrong in any of this. I don't see the internet gateway in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see only the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to two networks (LAN & internet).
Brian JD