Re: Secure Network Design (DMZ, LAN, etc)
From: booth monkey (boothmonkey@hotmail.com)Date: 08/16/02
- Previous message: Nathan: "RE: Firewall for Reuters or Bloomberg"
- Maybe in reply to: booth monkey: "Secure Network Design (DMZ, LAN, etc)"
- Next in thread: Daniel Miessler: "RE: Secure Network Design (DMZ, LAN, etc)"
- Reply: Daniel Miessler: "RE: Secure Network Design (DMZ, LAN, etc)"
- Reply: Volker Kindermann: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "booth monkey" <boothmonkey@hotmail.com> To: matthew@devney.net Date: Fri, 16 Aug 2002 11:33:30 -0400
Thanks Matthew,
Ok... assuming then that if variation2.gif is the way to go, I'd like to
hear your opinion on these points:
1) Placement of IDS systems
2) Types of Firewalls
For the IDSes, I'd like one outside the firewall (Attack Detection) and one
on the inside (Intrusion Detection). I assumed I could make the first IDS
operate as a transparent bridge (is that the right term?) and just forward
the packets through without altering them in any way, collecting any data
that I need. Provided the hardware could handle it, should I put the IDS on
the same machine as the firewall or would that be bad (I read somewhere that
it wasn't a good idea)?
Also, where should the inside IDS go? If I have it on the same level as my
servers, wouldn't it require a public IP and therefore be somewhat exposed?
(Although I suppose it could just be filtered at the firewall). Also,
should I have the IDS listening on the 192.168.1.0/24 network as well (web
servers) or would just listening near the load-balancer be enough?
My other main question regarding firewalls is whether or not a Linux box
running IPTables would be good enough or should I look at a commercial
solution (Checkpoint, Raptor, etc). I have a very tight budget so IPTables
is attractive, but I want to make sure I have a solid long-term solution
that can handle lots of traffic.
Thanks again for the help. Also... if anyone has any good book
recommendations on these topics, that would be greatly appreciated.
--- BM. boothmonkey@hotmail.com>From: matthew <matthew@devney.net> >To: booth monkey <boothmonkey@hotmail.com> >Subject: Re: Secure Network Design (DMZ, LAN, etc) >Date: Thu, 15 Aug 2002 17:49:23 -0700 (PDT) > >Lo, > >Since the whole world will need access to your web servers, they should be >in the DMZ -- but that doesn't mean that your web servers should be in the >DMZ. I'll explain. > >You need a firewall up front for generic reasons. Allow the services you >need, deny everything else. A simple router ACL will do this without too >much fuss. > >In the DMZ should be the publically accessible services, dns and mail as >you mentioned. You should also put a load-balancing device here. Cisco >has their Arrowpoint line, Alteon has AceDirector, etc. Put one of those >there, and the actual web servers plugged into that, using RFC1918 >(unrouteable) addresses, on their own subnet. (Cisco's LocalDirector, now >obsolete I think, wanted the web servers directly connected via crossover >cable.) > >Putting the db servers on their own network is a nice idea from a security >standpoint, but brings a bottleneck. Check your own traffic patterns. >For most web farms, most of the LAN traffic is from a web server to a db >server and back. If that crosses a router or firewall, be aware of both >the bottleneck and the single point of failure there. > >Hope this helps. > >--matthew@devney.net > > >On Wed, 14 Aug 2002, booth monkey wrote: > > > Date: Wed, 14 Aug 2002 21:24:48 -0400 > > From: booth monkey <boothmonkey@hotmail.com> > > To: security-basics@securityfocus.com > > Subject: Secure Network Design (DMZ, LAN, etc) > > > > > > Greetings All, > > > > This is my first post so please be gentle. I have a few questions >regarding > > the most effective way to design a secure web-serving network. > > > > I work for a web development firm as the system admin. My background is >as > > a programmer, however I do have a few years experience doing the admin > > thing. I've just never had to design a network until now. > > > > Our current setup is simple: a Windows based LAN and a Linux based DMZ > > containing Web, DNS & Mail Servers. We have one main firewall that also > > acts as the gateway (and does NAT) for both networks. I've posted a >diagram > > of our current setup here: > > http://www.geocities.com/boothmonkey2000/current.gif > > > > (It should also be noted that we do not have control of the ISP placed > > Router) > > > > My task is to redesign this network to support our planned expansion and >to > > ensure high-availability and security (everyone's dream I'm sure). I'll > > need to support a load-balancer for our web servers and I'd like to >seperate > > our databases onto their own network. I also believe that we need a >good > > network IDS or two (coupled with host-based solutions of course). I'm > > simply unfamiliar with the best way to lay it all out. > > > > I've created two other diagrams to help illustrate the two network >models > > that I could think of. I can think of pros and cons for both layouts, >but > > I'm really concerned about how they'll affect security. I'm also unsure >of > > the best place to perform any NATing that may need to be done (i.e. >router > > vs. firewall). > > > > The diagrams are located here: > > http://www.geocities.com/boothmonkey2000/variation1.gif > > http://www.geocities.com/boothmonkey2000/variation2.gif > > > > I appreciate all comments and flames that you may have for me. > > > > Thanks in advance for your time, > > > > --- > > BM. > > boothmonkey@hotmail.com > > > > > > > > _________________________________________________________________ > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > >
_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
- Previous message: Nathan: "RE: Firewall for Reuters or Bloomberg"
- Maybe in reply to: booth monkey: "Secure Network Design (DMZ, LAN, etc)"
- Next in thread: Daniel Miessler: "RE: Secure Network Design (DMZ, LAN, etc)"
- Reply: Daniel Miessler: "RE: Secure Network Design (DMZ, LAN, etc)"
- Reply: Volker Kindermann: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
