RE: Secure Network Design (DMZ, LAN, etc)

From: booth monkey (boothmonkey@hotmail.com)
Date: 08/20/02 

From: "booth monkey" <boothmonkey@hotmail.com>
To: tshoemaker@deltadentaltn.com, danielrm26@hotmail.com, matthew@devney.net
Date: Tue, 20 Aug 2002 12:20:51 -0400

Perhaps there was some confusion from my diagrams...

I realize that this wasn't very clear but what I intended to illustrate was
that the web servers would in fact have 2 NICs each, one on the
192.168.1.0/24 network (for the load-balancer) and another one on the
10.10.10.0/24 (for talking to the databases). I've used this setup before
with no trouble (even through a shared switch with VLAN support).

Any thoughts on the IPTables vs. a commercial firewall thing?

BM.

>From: "Tony Shoemaker" <shoemakert@deltadentaltn.com>
>Reply-To: <tshoemaker@deltadentaltn.com>
>To: "'Daniel Miessler'" <danielrm26@hotmail.com>,"'booth monkey'"
><boothmonkey@hotmail.com>,<matthew@devney.net>
>CC: <security-basics@securityfocus.com>
>Subject: RE: Secure Network Design (DMZ, LAN, etc)
>Date: Tue, 20 Aug 2002 08:28:15 -0500
>MIME-Version: 1.0
>Received: from be-mail.hosting.bellsouth.net ([205.152.0.152]) by
>hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002
>06:24:51 -0700
>Received: from TSHOEMAKER2000 ([216.76.84.2]) by
>be-mail.hosting.bellsouth.net (Post.Office MTA v3.5.3 release 223
>ID# 0-52534L100S0V35) with ESMTP id net; Tue, 20 Aug 2002 09:28:16
>-0400
>Message-ID:
><703434C7CFE24E4C80F3036FE1CD9FBE122F@DDPT-01.deltadentaltn.com>
>In-Reply-To:
><703434C7CFE24E4C80F3036FE1CD9FBE3109C5@DDPT-01.deltadentaltn.com>
>Return-Path: shoemakert@deltadentaltn.com
>X-OriginalArrivalTime: 20 Aug 2002 13:24:51.0481 (UTC)
>FILETIME=[F6C7F890:01C2484C]
>
>You would have to change your IP scheme in order to be on the same
>subnet. Hopefully you're using DHCP...all you would have to do is
>manipulate your third octet and change your mask. For example, we use a
>172.21.128.0/23 and a 172.21.129.0/23 range. If you AND your bits
>you'll see that their both on the same subnet. We use Watchguard as our
>perimeter firewall. It has a port for the trusted network and a port
>for the optional or DMZ network. Our firewall handles NAT. We use
>Cyberwall on each individual server for server security and IDS. It is
>software based so it's fairly reasonable. Obviously a hardware solution
>would be optimal.
>
>Tony Shoemaker, MCSE CCNA CCA
>Network Administrator
>Delta Dental Plan of Tennessee
>Phone: 615-255-3175 x292
>Fax: 615-244-8108
>mailto:tshoemaker@deltadentaltn.com
>
>
>-----Original Message-----
>From: Daniel Miessler [mailto:danielrm26@hotmail.com]
>Sent: Sunday, August 18, 2002 7:43 PM
>To: 'booth monkey'; matthew@devney.net
>Cc: security-basics@securityfocus.com
>Subject: RE: Secure Network Design (DMZ, LAN, etc)
>
>Hmm. In both of your proposed setups I see a major problem with your
>topology layout. You can't have separate subnets separated by a switch.
>The network behind your firewall will be separate, of course, but that
>is only because the firewall is going to be doing NAT in addition to
>packet filtering and whatever else it does. But where you have your
>databases separated you have two different private IP ranges there
>separated by a switch, which clearly won't work. In short, for separate
>subnets you need a router.
>
>As far as placement of IDS systems goes, I think that using a hub (or
>managed switch) on each segment you want to monitor and plugging your
>IDS machine into that would be ideal. So if it is just an 'inline'
>scenario then use a hub anyway, especially on the WAN side. For a large
>segment where a hub will slow things down you need to go with a managed
>switch I think.
>
>Your diagram has your IDS on a separate part of the switch I think.
>This won't work unless you are using ARP poisoning, hence your need for
>a layer 1 device.
>
>-danielrm26
>

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... webservers acting as routers so that they can get to your databases on ... then why have a separate network? ... interface on your internal firewall which protects the innermost network ... switch. ...
    (Security-Basics)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... You can't have separate subnets separated by a switch. ... is only because the firewall is going to be doing NAT in addition to ... > Subject: Re: Secure Network Design ...
    (Security-Basics)
  • Re: Home Network Setup Problem
    ... >> challenge of my own home network. ... Probably it is just a plain old switch ... Otherwise it will not hand packets from one network ... There is no firewall to complicate the setup. ...
    (freebsd-questions)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... separated from the dbs by a firewall - transparent or router (different ... Secure Network Design ... > then why have a separate network? ... > switch. ...
    (Security-Basics)
  • Re: firewall on the same segment
    ... As far as I know that would just work out if your switch if configured in some ... Usually setting up a firewall within the same segment has no real effect, ... > internal network, or from one network to another, but I was asked to ... > FIND OUT NOW - FREE Vulnerability Assessment Toolkit ...
    (Security-Basics)