Re: need comments on proposed network archtecture-correct diagram this time

From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: 08/06/03

• Next message: news.east.earthlink.net: "Re: Blocking IP for eMail"
• Previous message: Stephen Wong: "Strange Dropped Record in firewall"
• In reply to: ike lozada: "Re: need comments on proposed network archtecture-correct diagram this time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 06 Aug 2003 10:51:31 GMT

On 5 Aug 2003 18:54:39 -0700, ike lozada spoketh

>
>Hi again, in the dmz, we plan to put a mail server, www server (load
>balancer next time), an IDS...any problems with these? also, where
>should we put the dhcp servers... in the dmz? or one dhcp server per
>vlan? is a vlan==subnet (i.e. network segment)?
>
>thanks

No DHCP in the DMZ. Your servers in the DMZ must be hardend, and you
should also do some packet filtering on the border router to offer some
protection for your DMZ servers. Your mail server should probably not be
in the DMZ, unless it's only a relay server that'll forward you mail to
your internal mail server.

VLAN are virtual LANs (or subnets). It allows you to have multiple
subnets on one switch, and at the same time keeping them (the subnets)
separate. This way, you won't need one switch per subnet, but rather
just enough switches to give you the number of ports required. For this
type of network, you'll need routing, and the way to go is to get a
switch that'll do IP routing for you (hence the Cisco 3550
recommendation).

As for LAN DHCP servers, you can get away with having one DHCP server on
one of the subnets. You can then create virtual IP addresses for the
DHCP on the device that does your internal routing for you.

Or, you can do one switch per subnet, one DHCP server per subnet (but
still not the DMZ), make the DHCP server a DC, and all the LANs should
be happy... You'll still need that routing device though ...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

---

• Next message: news.east.earthlink.net: "Re: Blocking IP for eMail"
• Previous message: Stephen Wong: "Strange Dropped Record in firewall"
• In reply to: ike lozada: "Re: need comments on proposed network archtecture-correct diagram this time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: fedora-list Digest, Vol 6, Issue 266 ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ... (Fedora) RE: Webserver on a DMZ still needed? ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ... (Security-Basics) Re: Man gets nine years for spamming ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ... (alt.computer.security) RE: [fw-wiz] Backup exec agent in dmz ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ... (Firewall-Wizards) RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ... (Firewall-Wizards)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)