RE: Secure Network Design (DMZ, LAN, etc)
From: Daniel Miessler (danielrm26@hotmail.com)Date: 08/20/02
- Previous message: Golden_Eternity: "RE: Warless Bleeding - How to stop it?"
- Next in thread: Byron: "Re: Secure Network Design (DMZ, LAN, etc)"
- Reply: Byron: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Daniel Miessler" <danielrm26@hotmail.com> To: "'booth monkey'" <boothmonkey@hotmail.com>, <tshoemaker@deltadentaltn.com>, <matthew@devney.net> Date: Tue, 20 Aug 2002 12:51:49 -0400
Hmm. I am not sure about this, but I don't think you want your
webservers acting as routers so that they can get to your databases on
another subnet. If you aren't using any ACL's or filtering of any sort
then why have a separate network? And if you are, then why put that
load on your webserver?
I suggest you go with a more classic and pure DMZ setup. Put your
webservers in the DMZ and have them connect to ODBC on the external
interface on your internal firewall which protects the innermost network
where your database servers reside. (long sentence)
-danielrm26
> -----Original Message-----
> From: booth monkey [mailto:boothmonkey@hotmail.com]
> Sent: Tuesday, August 20, 2002 12:21 PM
> To: tshoemaker@deltadentaltn.com; danielrm26@hotmail.com;
> matthew@devney.net
> Cc: security-basics@securityfocus.com
> Subject: RE: Secure Network Design (DMZ, LAN, etc)
>
>
> Perhaps there was some confusion from my diagrams...
>
> I realize that this wasn't very clear but what I intended to
illustrate was that the web
> servers would in fact have 2 NICs each, one on the 192.168.1.0/24
network (for the
> load-balancer) and another one on the 10.10.10.0/24 (for talking to
the databases).
> I've used this setup before with no trouble (even through a shared
switch with
> VLAN support).
>
> Any thoughts on the IPTables vs. a commercial firewall thing?
>
> BM.
>
>
>
>
> >From: "Tony Shoemaker" <shoemakert@deltadentaltn.com>
> >Reply-To: <tshoemaker@deltadentaltn.com>
> >To: "'Daniel Miessler'" <danielrm26@hotmail.com>,"'booth monkey'"
> <boothmonkey@hotmail.com>,<matthew@devney.net>
> >CC: <security-basics@securityfocus.com>
> >Subject: RE: Secure Network Design (DMZ, LAN, etc)
> >Date: Tue, 20 Aug 2002 08:28:15 -0500
> >MIME-Version: 1.0
> >Received: from be-mail.hosting.bellsouth.net ([205.152.0.152]) by
hotmail.com
> with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 06:24:51 -0700
> >Received: from TSHOEMAKER2000 ([216.76.84.2]) by be-
> mail.hosting.bellsouth.net (Post.Office MTA v3.5.3 release
223 ID# 0-
> 52534L100S0V35) with ESMTP id net; Tue, 20 Aug 2002 09:28:16
-0400
> >Message-ID: <703434C7CFE24E4C80F3036FE1CD9FBE122F@DDPT-
> 01.deltadentaltn.com>
> >In-Reply-To: <703434C7CFE24E4C80F3036FE1CD9FBE3109C5@DDPT-
> 01.deltadentaltn.com>
> >Return-Path: shoemakert@deltadentaltn.com
> >X-OriginalArrivalTime: 20 Aug 2002 13:24:51.0481 (UTC)
> FILETIME=[F6C7F890:01C2484C]
> >
> >You would have to change your IP scheme in order to be on the same
> >subnet. Hopefully you're using DHCP...all you would have to do is
> >manipulate your third octet and change your mask. For example, we use
a
> >172.21.128.0/23 and a 172.21.129.0/23 range. If you AND your bits
> >you'll see that their both on the same subnet. We use Watchguard as
our
> >perimeter firewall. It has a port for the trusted network and a port
> >for the optional or DMZ network. Our firewall handles NAT. We use
> >Cyberwall on each individual server for server security and IDS. It
is
> >software based so it's fairly reasonable. Obviously a hardware
solution
> >would be optimal.
> >
> >Tony Shoemaker, MCSE CCNA CCA
> >Network Administrator
> >Delta Dental Plan of Tennessee
> >Phone: 615-255-3175 x292
> >Fax: 615-244-8108
> >mailto:tshoemaker@deltadentaltn.com
> >
> >
> >-----Original Message-----
> >From: Daniel Miessler [mailto:danielrm26@hotmail.com]
> >Sent: Sunday, August 18, 2002 7:43 PM
> >To: 'booth monkey'; matthew@devney.net
> >Cc: security-basics@securityfocus.com
> >Subject: RE: Secure Network Design (DMZ, LAN, etc)
> >
> >Hmm. In both of your proposed setups I see a major problem with your
> >topology layout. You can't have separate subnets separated by a
switch.
> >The network behind your firewall will be separate, of course, but
that
> >is only because the firewall is going to be doing NAT in addition to
> >packet filtering and whatever else it does. But where you have your
> >databases separated you have two different private IP ranges there
> >separated by a switch, which clearly won't work. In short, for
separate
> >subnets you need a router.
> >
> >As far as placement of IDS systems goes, I think that using a hub (or
> >managed switch) on each segment you want to monitor and plugging your
> >IDS machine into that would be ideal. So if it is just an 'inline'
> >scenario then use a hub anyway, especially on the WAN side. For a
large
> >segment where a hub will slow things down you need to go with a
managed
> >switch I think.
> >
> >Your diagram has your IDS on a separate part of the switch I think.
> >This won't work unless you are using ARP poisoning, hence your need
for
> >a layer 1 device.
> >
> >-danielrm26
> >
>
- Previous message: Golden_Eternity: "RE: Warless Bleeding - How to stop it?"
- Next in thread: Byron: "Re: Secure Network Design (DMZ, LAN, etc)"
- Reply: Byron: "Re: Secure Network Design (DMZ, LAN, etc)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
