Re: Secure Network Design (DMZ, LAN, etc)

From: Byron (snail945@yahoo.com)
Date: 08/22/02 

From: "Byron" <snail945@yahoo.com>
To: "Daniel Miessler" <danielrm26@hotmail.com>, "'booth monkey'" <boothmonkey@hotmail.com>, <tshoemaker@deltadentaltn.com>, <matthew@devney.net>
Date: Wed, 21 Aug 2002 15:57:16 -0700

Although routing is not required btwn the web's interfaces (depending on the
webapp), it's still insecure, but performance may be enhanced if
communication btwn the dbs is heavy (i.e processing http posts while
receving other data from the client). However, as Daniel points out, I
would only do it like this if the web's inside interface were STILL
separated from the dbs by a firewall - transparent or router (different
subnet). Basically as described below.

  span a port on your public vlan (or wherever your sec policy dictates for
your ids). last, i would certainly use a commercial firewall unless you (and
someone else) are very strong with iptables. But if you do this why not do
it right and use BSD?. An appliance multiport netscreen or pix would fit
nice into this setup.

common advanced e-commerce setup. you can simplify some areas to fit your
setup perhaps combining the load balancer/front firewall (like using a
bigIP/BIDS box):

(*) Internet router w/ ids feature set and acls, qos/rate limiting
| VLAN outside (also snort or other ids)
(*) transparent firewall
| VLAN DMZ1
(*) Load balancer/reverse proxy (nat)
| VLAN WEBs
(*) ROUTER acls or firewall
| VLAN DB/Application Servers

cheers-bk
----- Original Message -----
From: "Daniel Miessler" <danielrm26@hotmail.com>
To: "'booth monkey'" <boothmonkey@hotmail.com>;
<tshoemaker@deltadentaltn.com>; <matthew@devney.net>
Cc: <security-basics@securityfocus.com>
Sent: Tuesday, August 20, 2002 9:51 AM
Subject: RE: Secure Network Design (DMZ, LAN, etc)

> Hmm. I am not sure about this, but I don't think you want your
> webservers acting as routers so that they can get to your databases on
> another subnet. If you aren't using any ACL's or filtering of any sort
> then why have a separate network? And if you are, then why put that
> load on your webserver?
>
> I suggest you go with a more classic and pure DMZ setup. Put your
> webservers in the DMZ and have them connect to ODBC on the external
> interface on your internal firewall which protects the innermost network
> where your database servers reside. (long sentence)
>
> -danielrm26
>
> > -----Original Message-----
> > From: booth monkey [mailto:boothmonkey@hotmail.com]
> > Sent: Tuesday, August 20, 2002 12:21 PM
> > To: tshoemaker@deltadentaltn.com; danielrm26@hotmail.com;
> > matthew@devney.net
> > Cc: security-basics@securityfocus.com
> > Subject: RE: Secure Network Design (DMZ, LAN, etc)
> >
> >
> > Perhaps there was some confusion from my diagrams...
> >
> > I realize that this wasn't very clear but what I intended to
> illustrate was that the web
> > servers would in fact have 2 NICs each, one on the 192.168.1.0/24
> network (for the
> > load-balancer) and another one on the 10.10.10.0/24 (for talking to
> the databases).
> > I've used this setup before with no trouble (even through a shared
> switch with
> > VLAN support).
> >
> > Any thoughts on the IPTables vs. a commercial firewall thing?
> >
> > BM.
> >
> >
> >
> >
> > >From: "Tony Shoemaker" <shoemakert@deltadentaltn.com>
> > >Reply-To: <tshoemaker@deltadentaltn.com>
> > >To: "'Daniel Miessler'" <danielrm26@hotmail.com>,"'booth monkey'"
> > <boothmonkey@hotmail.com>,<matthew@devney.net>
> > >CC: <security-basics@securityfocus.com>
> > >Subject: RE: Secure Network Design (DMZ, LAN, etc)
> > >Date: Tue, 20 Aug 2002 08:28:15 -0500
> > >MIME-Version: 1.0
> > >Received: from be-mail.hosting.bellsouth.net ([205.152.0.152]) by
> hotmail.com
> > with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 06:24:51 -0700
> > >Received: from TSHOEMAKER2000 ([216.76.84.2]) by be-
> > mail.hosting.bellsouth.net (Post.Office MTA v3.5.3 release
> 223 ID# 0-
> > 52534L100S0V35) with ESMTP id net; Tue, 20 Aug 2002 09:28:16
> -0400
> > >Message-ID: <703434C7CFE24E4C80F3036FE1CD9FBE122F@DDPT-
> > 01.deltadentaltn.com>
> > >In-Reply-To: <703434C7CFE24E4C80F3036FE1CD9FBE3109C5@DDPT-
> > 01.deltadentaltn.com>
> > >Return-Path: shoemakert@deltadentaltn.com
> > >X-OriginalArrivalTime: 20 Aug 2002 13:24:51.0481 (UTC)
> > FILETIME=[F6C7F890:01C2484C]
> > >
> > >You would have to change your IP scheme in order to be on the same
> > >subnet. Hopefully you're using DHCP...all you would have to do is
> > >manipulate your third octet and change your mask. For example, we use
> a
> > >172.21.128.0/23 and a 172.21.129.0/23 range. If you AND your bits
> > >you'll see that their both on the same subnet. We use Watchguard as
> our
> > >perimeter firewall. It has a port for the trusted network and a port
> > >for the optional or DMZ network. Our firewall handles NAT. We use
> > >Cyberwall on each individual server for server security and IDS. It
> is
> > >software based so it's fairly reasonable. Obviously a hardware
> solution
> > >would be optimal.
> > >
> > >Tony Shoemaker, MCSE CCNA CCA
> > >Network Administrator
> > >Delta Dental Plan of Tennessee
> > >Phone: 615-255-3175 x292
> > >Fax: 615-244-8108
> > >mailto:tshoemaker@deltadentaltn.com
> > >
> > >
> > >-----Original Message-----
> > >From: Daniel Miessler [mailto:danielrm26@hotmail.com]
> > >Sent: Sunday, August 18, 2002 7:43 PM
> > >To: 'booth monkey'; matthew@devney.net
> > >Cc: security-basics@securityfocus.com
> > >Subject: RE: Secure Network Design (DMZ, LAN, etc)
> > >
> > >Hmm. In both of your proposed setups I see a major problem with your
> > >topology layout. You can't have separate subnets separated by a
> switch.
> > >The network behind your firewall will be separate, of course, but
> that
> > >is only because the firewall is going to be doing NAT in addition to
> > >packet filtering and whatever else it does. But where you have your
> > >databases separated you have two different private IP ranges there
> > >separated by a switch, which clearly won't work. In short, for
> separate
> > >subnets you need a router.
> > >
> > >As far as placement of IDS systems goes, I think that using a hub (or
> > >managed switch) on each segment you want to monitor and plugging your
> > >IDS machine into that would be ideal. So if it is just an 'inline'
> > >scenario then use a hub anyway, especially on the WAN side. For a
> large
> > >segment where a hub will slow things down you need to go with a
> managed
> > >switch I think.
> > >
> > >Your diagram has your IDS on a separate part of the switch I think.
> > >This won't work unless you are using ARP poisoning, hence your need
> for
> > >a layer 1 device.
> > >
> > >-danielrm26
> > >
> >

Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... webservers acting as routers so that they can get to your databases on ... then why have a separate network? ... interface on your internal firewall which protects the innermost network ... switch. ...
    (Security-Basics)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... You can't have separate subnets separated by a switch. ... is only because the firewall is going to be doing NAT in addition to ... > Subject: Re: Secure Network Design ...
    (Security-Basics)
  • Re: Home Network Setup Problem
    ... >> challenge of my own home network. ... Probably it is just a plain old switch ... Otherwise it will not hand packets from one network ... There is no firewall to complicate the setup. ...
    (freebsd-questions)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... 192.168.1.0/24 network and another one on the ... Any thoughts on the IPTables vs. a commercial firewall thing? ... You can't have separate subnets separated by a switch. ...
    (Security-Basics)
  • Re: firewall on the same segment
    ... As far as I know that would just work out if your switch if configured in some ... Usually setting up a firewall within the same segment has no real effect, ... > internal network, or from one network to another, but I was asked to ... > FIND OUT NOW - FREE Vulnerability Assessment Toolkit ...
    (Security-Basics)
Quantcast