Secure Network Design (DMZ, LAN, etc)

From: booth monkey (boothmonkey@hotmail.com)
Date: 08/15/02 

From: "booth monkey" <boothmonkey@hotmail.com>
To: security-basics@securityfocus.com
Date: Wed, 14 Aug 2002 21:24:48 -0400

Greetings All,

This is my first post so please be gentle. I have a few questions regarding
the most effective way to design a secure web-serving network.

I work for a web development firm as the system admin. My background is as
a programmer, however I do have a few years experience doing the admin
thing. I've just never had to design a network until now.

Our current setup is simple: a Windows based LAN and a Linux based DMZ
containing Web, DNS & Mail Servers. We have one main firewall that also
acts as the gateway (and does NAT) for both networks. I've posted a diagram
of our current setup here:
http://www.geocities.com/boothmonkey2000/current.gif

(It should also be noted that we do not have control of the ISP placed
Router)

My task is to redesign this network to support our planned expansion and to
ensure high-availability and security (everyone's dream I'm sure). I'll
need to support a load-balancer for our web servers and I'd like to seperate
our databases onto their own network. I also believe that we need a good
network IDS or two (coupled with host-based solutions of course). I'm
simply unfamiliar with the best way to lay it all out.

I've created two other diagrams to help illustrate the two network models
that I could think of. I can think of pros and cons for both layouts, but
I'm really concerned about how they'll affect security. I'm also unsure of
the best place to perform any NATing that may need to be done (i.e. router
vs. firewall).

The diagrams are located here:
http://www.geocities.com/boothmonkey2000/variation1.gif
http://www.geocities.com/boothmonkey2000/variation2.gif

I appreciate all comments and flames that you may have for me.

Thanks in advance for your time, 

---
BM.
boothmonkey@hotmail.com

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Relevant Pages

  • Review my resume. Please.
    ... communication, interpersonal, and problem solving skills. ... MOST and CAN (Controller ... network devices for automotive industry based on MOST (Media Oriented ... the Open Systems Interconnect reference model; design focused ...
    (comp.arch.embedded)
  • Re: FAA: Boeings New 787 May Be Vulnerable to Hacker Attack
    ... determination if that design is compliant with the rules (14 CFR Part ... Special Conditions: Boeing Model 787-8 Airplane; ... network architecture is used for a diverse set of functions, ...
    (rec.aviation.piloting)
  • Re: Is AI all about time?
    ... The "high level thinking" network is NOT A DIFFERENT TYPE OF NETWORK from ... "I think it will be possible to build strong generic learning ... ALL REINFORCEMENT LEARNING PROCESSES INCLUDE BEHAVIOR ... us the ability to design. ...
    (comp.ai.philosophy)
  • Re: FAA: Boeings New 787 May Be Vulnerable to Hacker Attack
    ... that design is compliant with the rules. ... Special Conditions: Boeing Model 787-8 Airplane; ... network architecture is used for a diverse set of functions, ...
    (rec.aviation.piloting)
  • Re: What did that thread indicate?
    ... Or do you mean *this* net has limitations but the ... *right* kind of network, using these nodes, will ... The same thing could be said for a neural net, ... current "flat version" design will not work. ...
    (comp.ai.philosophy)
Quantcast