I am posting this in security because it is firewall related. I am looking to redesign my network which I'll get into bellow but basically i am looking to setup an transparent/bridged firewall with squid and dansguardian. However, I want to require LDAP authentication to access internet. You'll understand why from diagram below.
My question is, since bridged firewalls operate at layer 2 and have no/require no IP address, can you access higher layered apps with them? Example would be to have the proxy authenticate to LDAP system to check for valid user and valid net permissions, server has to somehow send a reply back, so without an IP, this can't happen right.
Below are two designs I am looking into implementing. Everything Internally will be Authenticated against LDAP with a small possibility of some public servers using LDAP too, but in my way of thinking anything using LDAP would should be behind the router on private link. FYI, the PROXY and the Linux Router would be two physically separate systems.
So I guess my second question would be, can systems outside private network access limited internal services securely and be restricted at the same time?
I think I have everything I needed to ask but if I think of something else related to this I'll post in reply if it concerns app/firewall question.
Code:
Option 1:
(TRANSPARENT)
------------ -------------
| CBL MODM | ---------> | PROXY/FW |
------------ -------------
|
|{PUBLIC)
|
---------- -------------- ---------
| DMZ |<----------| LNX ROUTER |---------> | WI-FI |
---------- | W/FIREWALL | ---------
--------------
|
|(PRIVATE)
--------------- | ---------------
| LDAP SERVER |<----------------------------> | VPN / WikId |
-------------- ---------------
Option 2:
(TRANSPARENT)
------------ -------------
| CBL MODM | ---------> | PROXY/FW |
------------ -------------
|
|{PUBLIC)
|
---------- -------------- ---------
| SERVER |<---------- | SWITCH |---------> | SERVER |
---------- -------------- ---------
|
|
-------------- ---------
| LNX ROUTER |---------> | WI-FI |
| W/FIREWALL | ---------
--------------
|
|(PRIVATE)
--------------- | ---------------
| LDAP SERVER |<----------------------------> | VPN / WikId |
-------------- ---------------