Hello, I am just thinking about network setup and would appreciate any comments on this idea. Especially any security related comment is welcome: Lets think about a "ordinary" internet setup: You have got the internet connected to a firewall - behind the firewall there is a DMZ. In this DMZ there is a proxy providing access to the Internet for local computers in a private IP LAN. Nothing special up to this point. As we are all concerned about security and don't like unnecessary work, there usually is some kind of SSH Service on all the machines, which means just one more open port to be attacked on. The idea: Add another network interface to each box in the DMZ and put them into a private IP-network. Use this network for administration purpose only. Example: 1 Firewall 1 Mailserver 1 Proxy Firewall has 3 NICs: 1 connected to the internet showing no open ports 1 connected to the DMZ showing no open ports 1 connected to the administrative IP network providing SSH Mailserver has 2 NICs: 1 connected to the DMZ providing SMTP-service 1 connected to the administrative IP network providing SSH Proxy has 3 NICs: 1 connected to the DMZ showing no open ports 1 connected to the LAN providing several proxy services 1 connected to the administrative IP network providing SSH Probably there is a router between the LAN and the administrative IP network somewhere in the LAN. Would this setup provide any benefit regarding security, provided that there is proper configuration? Any comment would really be appreciated. Thank you very much in advance, Stefan Nauber Cs2 Informatik GmbH & Co. KG - Niederlassung West - Kurfürstenanlage 3 69115 Heidelberg Germany Tel.: +49 (6221) 6041-0 Fax : +49 (6221) 6041-50 Email: mailto:stefan.nauber@cs2-informatik.de Internet: http://www.cs2-informatik.de
Example: 1 Firewall 1 Mailserver 1 Proxy
Firewall has 3 NICs: 1 connected to the internet showing no open ports 1 connected to the DMZ showing no open ports 1 connected to the administrative IP network providing SSH This is ok (anything else wouldn't work ;)
Mailserver has 2 NICs:
1 connected to the DMZ providing SMTP-service 1 connected to the administrative IP network providing SSH No - The mailserver needs only one. The firewall can allow access to the ssh port of the mail server only from the administrative network. To provide further safety, the mailserver itself should check source ip, too. The problem with your setup is, that IF someone hacks your mailserver, access to the adminstrative network is gained, with no barriers in between!
Proxy has 3 NICs: 1 connected to the DMZ showing no open ports 1 connected to the LAN providing several proxy services 1 connected to the administrative IP network providing SSH Same as above, one or max. two NICs are enough. If you don't care about people circumventing your proxy (or you have all ports blocked, so people must use it), one is enough (on the LAN side). The proxy should then be allowed to go outside (masquerading). Of course, ssh only works, if you have access to the LAN from the administrative network, and allow only access from a specific IP/maybe MAC address. If not, you will surely need a second NIC. But remember: the more links you have, the more can be a weakness! Use as little cross-links as possible - the weakest link will break first, and If you have a lot of links, this is harder to handle!
regards, Markus Gaugusch -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hello Markus, thanks for your answer. I think there is a little missunderstanding. I thought of the following basic setup: LAN <->PROXY<->DMZ<->FIREWALL<->INTERNET ^->MAILSERVER The DMZ is an IP-Network with 3 computers attached: Proxy, Firewall and Mailserver. The router between DMZ and Internet is the firewall. Between the LAN and the DMZ there is the proxy. My idea was to give each computer another network interface and connect them to an IP network, the administrative net. What I understood you thought about was a firewall with Interfaces to the LAN, to the Internet and to the DMZ acting as one router between them all. Proxy and Mailserver as to computers in the DMZ offering services. Of course you are right saying that each link imposes another risk - but how would you weigh it against the benefit of separating productive and administrative traffic. Greetings, Stefan
participants (2)
-
Markus Gaugusch
-
Stefan Nauber