RE: Secure Network Design (DMZ, LAN, etc)
From: Daniel Miessler (danielrm26@hotmail.com)Date: 08/19/02
- Previous message: Maenard Martinez (TS-PH): "Destination Static NATting"
- In reply to: booth monkey: "Re: Secure Network Design (DMZ, LAN, etc)"
- Next in thread: Volker Kindermann: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Daniel Miessler" <danielrm26@hotmail.com> To: "'booth monkey'" <boothmonkey@hotmail.com>, <matthew@devney.net> Date: Sun, 18 Aug 2002 20:42:55 -0400
Hmm. In both of your proposed setups I see a major problem with your
topology layout. You can't have separate subnets separated by a switch.
The network behind your firewall will be separate, of course, but that
is only because the firewall is going to be doing NAT in addition to
packet filtering and whatever else it does. But where you have your
databases separated you have two different private IP ranges there
separated by a switch, which clearly won't work. In short, for separate
subnets you need a router.
As far as placement of IDS systems goes, I think that using a hub (or
managed switch) on each segment you want to monitor and plugging your
IDS machine into that would be ideal. So if it is just an 'inline'
scenario then use a hub anyway, especially on the WAN side. For a large
segment where a hub will slow things down you need to go with a managed
switch I think.
Your diagram has your IDS on a separate part of the switch I think.
This won't work unless you are using ARP poisoning, hence your need for
a layer 1 device.
-danielrm26
> -----Original Message-----
> From: booth monkey [mailto:boothmonkey@hotmail.com]
> Sent: Friday, August 16, 2002 11:34 AM
> To: matthew@devney.net
> Cc: security-basics@securityfocus.com
> Subject: Re: Secure Network Design (DMZ, LAN, etc)
>
>
> Thanks Matthew,
>
> Ok... assuming then that if variation2.gif is the way to go, I'd like
to
> hear your opinion on these points:
>
> 1) Placement of IDS systems
> 2) Types of Firewalls
>
>
> For the IDSes, I'd like one outside the firewall (Attack Detection)
and one
> on the inside (Intrusion Detection). I assumed I could make the first
IDS
> operate as a transparent bridge (is that the right term?) and just
forward
> the packets through without altering them in any way, collecting any
data
> that I need. Provided the hardware could handle it, should I put the
IDS on
> the same machine as the firewall or would that be bad (I read
somewhere that
> it wasn't a good idea)?
>
> Also, where should the inside IDS go? If I have it on the same level
as my
> servers, wouldn't it require a public IP and therefore be somewhat
exposed?
> (Although I suppose it could just be filtered at the firewall). Also,
> should I have the IDS listening on the 192.168.1.0/24 network as well
(web
> servers) or would just listening near the load-balancer be enough?
>
> My other main question regarding firewalls is whether or not a Linux
box
> running IPTables would be good enough or should I look at a commercial
> solution (Checkpoint, Raptor, etc). I have a very tight budget so
IPTables
> is attractive, but I want to make sure I have a solid long-term
solution
> that can handle lots of traffic.
>
> Thanks again for the help. Also... if anyone has any good book
> recommendations on these topics, that would be greatly appreciated.
>
> ---
> BM.
> boothmonkey@hotmail.com
>
>
>
>
>
> >From: matthew <matthew@devney.net>
> >To: booth monkey <boothmonkey@hotmail.com>
> >Subject: Re: Secure Network Design (DMZ, LAN, etc)
> >Date: Thu, 15 Aug 2002 17:49:23 -0700 (PDT)
> >
> >Lo,
> >
> >Since the whole world will need access to your web servers, they
should be
> >in the DMZ -- but that doesn't mean that your web servers should be
in the
> >DMZ. I'll explain.
> >
> >You need a firewall up front for generic reasons. Allow the services
you
> >need, deny everything else. A simple router ACL will do this without
too
> >much fuss.
> >
> >In the DMZ should be the publically accessible services, dns and mail
as
> >you mentioned. You should also put a load-balancing device here.
Cisco
> >has their Arrowpoint line, Alteon has AceDirector, etc. Put one of
those
> >there, and the actual web servers plugged into that, using RFC1918
> >(unrouteable) addresses, on their own subnet. (Cisco's
LocalDirector, now
> >obsolete I think, wanted the web servers directly connected via
crossover
> >cable.)
> >
> >Putting the db servers on their own network is a nice idea from a
security
> >standpoint, but brings a bottleneck. Check your own traffic
patterns.
> >For most web farms, most of the LAN traffic is from a web server to a
db
> >server and back. If that crosses a router or firewall, be aware of
both
> >the bottleneck and the single point of failure there.
> >
> >Hope this helps.
> >
> >--matthew@devney.net
> >
> >
> >On Wed, 14 Aug 2002, booth monkey wrote:
> >
> > > Date: Wed, 14 Aug 2002 21:24:48 -0400
> > > From: booth monkey <boothmonkey@hotmail.com>
> > > To: security-basics@securityfocus.com
> > > Subject: Secure Network Design (DMZ, LAN, etc)
> > >
> > >
> > > Greetings All,
> > >
> > > This is my first post so please be gentle. I have a few questions
> >regarding
> > > the most effective way to design a secure web-serving network.
> > >
> > > I work for a web development firm as the system admin. My
background is
> >as
> > > a programmer, however I do have a few years experience doing the
admin
> > > thing. I've just never had to design a network until now.
> > >
> > > Our current setup is simple: a Windows based LAN and a Linux based
DMZ
> > > containing Web, DNS & Mail Servers. We have one main firewall
that also
> > > acts as the gateway (and does NAT) for both networks. I've posted
a
> >diagram
> > > of our current setup here:
> > > http://www.geocities.com/boothmonkey2000/current.gif
> > >
> > > (It should also be noted that we do not have control of the ISP
placed
> > > Router)
> > >
> > > My task is to redesign this network to support our planned
expansion and
> >to
> > > ensure high-availability and security (everyone's dream I'm sure).
I'll
> > > need to support a load-balancer for our web servers and I'd like
to
> >seperate
> > > our databases onto their own network. I also believe that we need
a
> >good
> > > network IDS or two (coupled with host-based solutions of course).
I'm
> > > simply unfamiliar with the best way to lay it all out.
> > >
> > > I've created two other diagrams to help illustrate the two network
> >models
> > > that I could think of. I can think of pros and cons for both
layouts,
> >but
> > > I'm really concerned about how they'll affect security. I'm also
unsure
> >of
> > > the best place to perform any NATing that may need to be done
(i.e.
> >router
> > > vs. firewall).
> > >
> > > The diagrams are located here:
> > > http://www.geocities.com/boothmonkey2000/variation1.gif
> > > http://www.geocities.com/boothmonkey2000/variation2.gif
> > >
> > > I appreciate all comments and flames that you may have for me.
> > >
> > > Thanks in advance for your time,
> > >
> > > ---
> > > BM.
> > > boothmonkey@hotmail.com
> > >
> > >
> > >
> > >
> _________________________________________________________________
> > > Send and receive Hotmail on your mobile device:
http://mobile.msn.com
> > >
>
>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
- Previous message: Maenard Martinez (TS-PH): "Destination Static NATting"
- In reply to: booth monkey: "Re: Secure Network Design (DMZ, LAN, etc)"
- Next in thread: Volker Kindermann: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
