RE: Secure Network Design (DMZ, LAN, etc)

From: Tony Shoemaker (shoemakert@deltadentaltn.com)
Date: 08/20/02 

From: "Tony Shoemaker" <shoemakert@deltadentaltn.com>
To: "'Daniel Miessler'" <danielrm26@hotmail.com>, "'booth monkey'" <boothmonkey@hotmail.com>, <matthew@devney.net>
Date: Tue, 20 Aug 2002 08:28:15 -0500

You would have to change your IP scheme in order to be on the same
subnet. Hopefully you're using DHCP...all you would have to do is
manipulate your third octet and change your mask. For example, we use a
172.21.128.0/23 and a 172.21.129.0/23 range. If you AND your bits
you'll see that their both on the same subnet. We use Watchguard as our
perimeter firewall. It has a port for the trusted network and a port
for the optional or DMZ network. Our firewall handles NAT. We use
Cyberwall on each individual server for server security and IDS. It is
software based so it's fairly reasonable. Obviously a hardware solution
would be optimal.

Tony Shoemaker, MCSE CCNA CCA
Network Administrator
Delta Dental Plan of Tennessee
Phone: 615-255-3175 x292
Fax: 615-244-8108
mailto:tshoemaker@deltadentaltn.com
 

-----Original Message-----
From: Daniel Miessler [mailto:danielrm26@hotmail.com]
Sent: Sunday, August 18, 2002 7:43 PM
To: 'booth monkey'; matthew@devney.net
Cc: security-basics@securityfocus.com
Subject: RE: Secure Network Design (DMZ, LAN, etc)

Hmm. In both of your proposed setups I see a major problem with your
topology layout. You can't have separate subnets separated by a switch.
The network behind your firewall will be separate, of course, but that
is only because the firewall is going to be doing NAT in addition to
packet filtering and whatever else it does. But where you have your
databases separated you have two different private IP ranges there
separated by a switch, which clearly won't work. In short, for separate
subnets you need a router.

As far as placement of IDS systems goes, I think that using a hub (or
managed switch) on each segment you want to monitor and plugging your
IDS machine into that would be ideal. So if it is just an 'inline'
scenario then use a hub anyway, especially on the WAN side. For a large
segment where a hub will slow things down you need to go with a managed
switch I think.

Your diagram has your IDS on a separate part of the switch I think.
This won't work unless you are using ARP poisoning, hence your need for
a layer 1 device.

-danielrm26

> -----Original Message-----
> From: booth monkey [mailto:boothmonkey@hotmail.com]
> Sent: Friday, August 16, 2002 11:34 AM
> To: matthew@devney.net
> Cc: security-basics@securityfocus.com
> Subject: Re: Secure Network Design (DMZ, LAN, etc)
>
>
> Thanks Matthew,
>
> Ok... assuming then that if variation2.gif is the way to go, I'd like
to
> hear your opinion on these points:
>
> 1) Placement of IDS systems
> 2) Types of Firewalls
>
>
> For the IDSes, I'd like one outside the firewall (Attack Detection)
and one
> on the inside (Intrusion Detection). I assumed I could make the first
IDS
> operate as a transparent bridge (is that the right term?) and just
forward
> the packets through without altering them in any way, collecting any
data
> that I need. Provided the hardware could handle it, should I put the
IDS on
> the same machine as the firewall or would that be bad (I read
somewhere that
> it wasn't a good idea)?
>
> Also, where should the inside IDS go? If I have it on the same level
as my
> servers, wouldn't it require a public IP and therefore be somewhat
exposed?
> (Although I suppose it could just be filtered at the firewall). Also,
> should I have the IDS listening on the 192.168.1.0/24 network as well
(web
> servers) or would just listening near the load-balancer be enough?
>
> My other main question regarding firewalls is whether or not a Linux
box
> running IPTables would be good enough or should I look at a commercial
> solution (Checkpoint, Raptor, etc). I have a very tight budget so
IPTables
> is attractive, but I want to make sure I have a solid long-term
solution
> that can handle lots of traffic.
>
> Thanks again for the help. Also... if anyone has any good book
> recommendations on these topics, that would be greatly appreciated.
>
> ---
> BM.
> boothmonkey@hotmail.com
>
>
>
>
>
> >From: matthew <matthew@devney.net>
> >To: booth monkey <boothmonkey@hotmail.com>
> >Subject: Re: Secure Network Design (DMZ, LAN, etc)
> >Date: Thu, 15 Aug 2002 17:49:23 -0700 (PDT)
> >
> >Lo,
> >
> >Since the whole world will need access to your web servers, they
should be
> >in the DMZ -- but that doesn't mean that your web servers should be
in the
> >DMZ. I'll explain.
> >
> >You need a firewall up front for generic reasons. Allow the services
you
> >need, deny everything else. A simple router ACL will do this without
too
> >much fuss.
> >
> >In the DMZ should be the publically accessible services, dns and mail
as
> >you mentioned. You should also put a load-balancing device here.
Cisco
> >has their Arrowpoint line, Alteon has AceDirector, etc. Put one of
those
> >there, and the actual web servers plugged into that, using RFC1918
> >(unrouteable) addresses, on their own subnet. (Cisco's
LocalDirector, now
> >obsolete I think, wanted the web servers directly connected via
crossover
> >cable.)
> >
> >Putting the db servers on their own network is a nice idea from a
security
> >standpoint, but brings a bottleneck. Check your own traffic
patterns.
> >For most web farms, most of the LAN traffic is from a web server to a
db
> >server and back. If that crosses a router or firewall, be aware of
both
> >the bottleneck and the single point of failure there.
> >
> >Hope this helps.
> >
> >--matthew@devney.net
> >
> >
> >On Wed, 14 Aug 2002, booth monkey wrote:
> >
> > > Date: Wed, 14 Aug 2002 21:24:48 -0400
> > > From: booth monkey <boothmonkey@hotmail.com>
> > > To: security-basics@securityfocus.com
> > > Subject: Secure Network Design (DMZ, LAN, etc)
> > >
> > >
> > > Greetings All,
> > >
> > > This is my first post so please be gentle. I have a few questions
> >regarding
> > > the most effective way to design a secure web-serving network.
> > >
> > > I work for a web development firm as the system admin. My
background is
> >as
> > > a programmer, however I do have a few years experience doing the
admin
> > > thing. I've just never had to design a network until now.
> > >
> > > Our current setup is simple: a Windows based LAN and a Linux based
DMZ
> > > containing Web, DNS & Mail Servers. We have one main firewall
that also
> > > acts as the gateway (and does NAT) for both networks. I've posted
a
> >diagram
> > > of our current setup here:
> > > http://www.geocities.com/boothmonkey2000/current.gif
> > >
> > > (It should also be noted that we do not have control of the ISP
placed
> > > Router)
> > >
> > > My task is to redesign this network to support our planned
expansion and
> >to
> > > ensure high-availability and security (everyone's dream I'm sure).
I'll
> > > need to support a load-balancer for our web servers and I'd like
to
> >seperate
> > > our databases onto their own network. I also believe that we need
a
> >good
> > > network IDS or two (coupled with host-based solutions of course).
I'm
> > > simply unfamiliar with the best way to lay it all out.
> > >
> > > I've created two other diagrams to help illustrate the two network
> >models
> > > that I could think of. I can think of pros and cons for both
layouts,
> >but
> > > I'm really concerned about how they'll affect security. I'm also
unsure
> >of
> > > the best place to perform any NATing that may need to be done
(i.e.
> >router
> > > vs. firewall).
> > >
> > > The diagrams are located here:
> > > http://www.geocities.com/boothmonkey2000/variation1.gif
> > > http://www.geocities.com/boothmonkey2000/variation2.gif
> > >
> > > I appreciate all comments and flames that you may have for me.
> > >
> > > Thanks in advance for your time,
> > >
> > > ---
> > > BM.
> > > boothmonkey@hotmail.com
> > >
> > >
> > >
> > >
> _________________________________________________________________
> > > Send and receive Hotmail on your mobile device:
http://mobile.msn.com
> > >
>
>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com

Relevant Pages

  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: Sites/subnets question
    ... the subnet, that's something way different.... ... > the Citrix Farm to use the applications that they need to get their work ... >> We have a distributed network with a domain controller at each office, ... >> logon process to the servers the client is authenticating with a slow ...
    (microsoft.public.win2000.active_directory)
  • Re: Running out of IP addresses
    ... I have a network of 5 servers running Windows 2003 server on the same ... The subnet has 254 possible addresses,...there is no way you would run out. ... Ethernet is not supposed to have subnets bigger than 254 hosts. ...
    (microsoft.public.windows.server.networking)
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)