Offtopic (maybe): Proposal for school network
Hello, my name is Christoph and I attend a business school. Our school administrator formed a working group for network and computer related problems. Our first task is to review the existing security system and to improve it or create a new one. I worked on a new network design for the school network, and I first created a draft. The First version of the draft can be downloaded from http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind and make comments on it or critisize it because I want to improve it. I know a little bit about computer security and I want to learn more. I excuse for being off topic, but I wanted some experts to review the draft. Have a nice day, Christoph Pernsteiner -- Black holes are where god divided by zero.
I'd need to know more about your security goals/threat model.
Are you worried about people breaking in via the internet?
Are you worried about kids beaking out and causing grief for others online?
I assume (well hope) that the school administrative network (i.e.
grades/etc) is seperate, or is it part of this network?
The external box will run a mail server to proxy email? If so are you using
sendmail/postfix, or?
What are the desktops running?
What is the purpose of this network? Teach kids to find info online? run
educational programs? Access to email?
Etc, etc. I can't really give you much help without sitting down, I suggest
you maybe hire SuSE for an hour or two of consulting, it will save you a
lot of grief in the long run.
-Kurt
----- Original Message -----
From: "Christoph Pernsteiner"
Hello,
my name is Christoph and I attend a business school. Our school administrator formed a working group for network and computer related problems. Our first task is to review the existing security system and to improve it or create a new one. I worked on a new network design for the school network, and I first created a draft. The First version of the draft can be downloaded from http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind and make comments on it or critisize it because I want to improve it. I know a little bit about computer security and I want to learn more. I excuse for being off topic, but I wanted some experts to review the draft.
Have a nice day,
Christoph Pernsteiner
-- Black holes are where god divided by zero.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Kurt,
I'd need to know more about your security goals/threat model. no problem I will try to give you as much information as you need.
Are you worried about people breaking in via the internet? Well not only people but also automated tools, trojans, worms, virii and so on.
Are you worried about kids beaking out and causing grief for others online? Not really, because we are a business school, and the people who know how computers work and how to use them creative are very few. But sometimes you have to protect the people from themselves. I mean, we don't want to have our systems infected by a virus just because someone opened a .exe file from his webmail account and didn't know, why he shouldn't double-click on things he doesn't know.
I assume (well hope) that the school administrative network (i.e. grades/etc) is seperate, or is it part of this network? No, it is seperated and we have no permission to change the layout of that network. Only the network that is usable by the pupils in the computer rooms. (The teachers network and the school administrative network are seperated, but get the internet connection over the same router. The router is not configured by us, but by our ISP.)
What are the desktops running? The desktops will run Win 2000 as operating system. We will use the Internet Explorer 6.0 as browser, to enable the pupils getting information over the internet.
What is the purpose of this network? Teach kids to find info online? run educational programs? Access to email? The purpose of the network is to connect our different computer rooms and computer classes with each other. To enable every pupil unfiltered access to any information of the internet. To provide a personal email account to every pupil, they should also have a personal computer account on the Win 2000 clients and on the intranet. The intranet will be something like a informational source for the pupils. The plan for the intranet is not done yet, but I have some ideas in my mind. It should get a informational source for all pupils. There will be some tutorials about the basics of how to use the internet effectively and some tutorials about HTML and so on.
Etc, etc. I can't really give you much help without sitting down, I suggest you maybe hire SuSE for an hour or two of consulting, it will save you a lot of grief in the long run. Well I think we can't afford that.
Some additional info to our group: Our group has 6 members (pupils) which are interested in and understand computers. The leader is our administrator (a teacher), but we have very much permissions, and he doesn't limit our creativity, although he critisizes our proposals (which is very good). The whole project is promoted by the EU (we will get a certificate at the end. I for myself don't do that for the certificate, but for the fun :-) ). Our goal is just to improve the school network and to create something like a school security system. I hope I cleared the situation. I uploaded a new draft (with Björn's suggestions). Thank you for spending time for me. Have a nice day, Christoph
On Tuesday, 4. December 2001 16:24, Christoph Pernsteiner wrote:
http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind and make comments on it or critisize it because I want to improve it.
I would never place a domain controller into the DMZ - the DMZ is used to allow the Internet acess to it, you do not wan't to allow Internet clients to log on to your Domain controller, do you ? The best solution for the external firewall would be _only_ a packetfilter, no services running (in my opinion). You can place the Proxy in the LAN or the DMZ.
Christoph Pernsteiner
Björn
Hi I don't know what you want to fight off with your design but generally I would not do it like that. I once ran such a design but it caused too much uncontrollable network noise. If you can run with two leased lines (one for the internet servers and one for your LAN) you'll do best. If not, I'd do it like this: inet | | DMZ ---- Firewall1 | | Firewall2 | | LAN 1. Logging. Firewall1 logs everything. Firewall2 only logs stuff that tries to penetrate it. This'll keep your Firewall2 logs free of DMZ traffic pollution. 2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. 3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. 4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. 5. Proxy: You'll be fine running it on Firewall2. 6. diversification: Firewall1 OS <> Firewall2 OS. HTH Philipp
-----Ursprüngliche Nachricht----- Von: Christoph Pernsteiner [mailto:chriz@aon.at] Gesendet: Dienstag, 4. Dezember 2001 16:24 An: Suse Security Mailinglist Betreff: [suse-security] Offtopic (maybe): Proposal for school network
Hello,
my name is Christoph and I attend a business school. Our school administrator formed a working group for network and computer related problems. Our first task is to review the existing security system and to improve it or create a new one. I worked on a new network design for the school network, and I first created a draft. The First version of the draft can be downloaded from http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind and make comments on it or critisize it because I want to improve it. I know a little bit about computer security and I want to learn more. I excuse for being off topic, but I wanted some experts to review the draft.
Have a nice day,
Christoph Pernsteiner
-- Black holes are where god divided by zero.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Philipp, thank you for your suggestions.
2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. I don't know what a NIDS is. I guess Network Intrusion Detection System? Well I have not very much knowledge in that sector, but I will read as much as I can get on NIDS and install one. Thank you for that.
3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. I think I got that wrong. I thought that every computer in one network has to be registered in a domain controller, so I setup one for the DMZ (because this should be a seperate network) and one for the internal network. I changed that, and uploaded a new draft.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. The problem is that our administrator doesn't know much about Linux, and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
5. Proxy: You'll be fine running it on Firewall2. ok.
6. diversification: Firewall1 OS <> Firewall2 OS. What OS would you suggest if not both Linux?
Have a nice day, Christoph
Christoph, you might be interested in reading http://www2.little-idiot.de/firewall/zusammen.html (sorry for the rest of the world - it's german) it's not up-to-date, e.g. kernel 2.0 and 2.2, but gives you lots of knowledge on firewalls and attacks.
What OS would you suggest if not both Linux?
OpenBSD, NetBSD, Solaris? Different features, different bugs. CU, Klaus
2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. I don't know what a NIDS is. I guess Network Intrusion Detection System? Well I have not very much knowledge in that sector, but I will read as much as I can get on NIDS and install one. Thank you for that.
try out www.snort.org.
3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. I think I got that wrong. I thought that every computer in one network has to be registered in a domain controller, so I setup one for the DMZ (because this should be a seperate network) and one for the internal network. I changed that, and uploaded a new draft.
Make them stand alone servers and shut down netbios servers. I saw the draft. I think you're making yourself an unnecessary hard life with that proxy running 2 eths. Place the proxy INTO the DMZ not in front of it. The way you designed the draft now the proxy is a third firewall. If so, you have to make it a router routing from the same subnet into the same subnet. That means changing routes on the cisco and wasting two IP addresses for what security? This doesn't make sense because the firewall rules on the proxy and the packet filter in front of it would be nearly the same. This would only make sense if you made the proxy a non-routing application layer firewall for all needed protocols controlling the content of the traffic passing it. But I wouldn't do it for such a small DMZ. Its overkill.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. The problem is that our administrator doesn't know much about Linux,
He'll do well changing that in the near future.
and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
It's not about being lame. It's bad for you keeping these windoze boxes uptodate all the time. I very well remember what nimda did to my win2k www server. No anti virus software ever will help you no matter how new the patterns are.
5. Proxy: You'll be fine running it on Firewall2. ok.
Oh, is it a http/https/ftp proxy? Or what services do you intend to run on it?
6. diversification: Firewall1 OS <> Firewall2 OS. What OS would you suggest if not both Linux?
FreeBSD and Linux.
Have a nice day,
u 2 Philipp
Hi Philipp, I really learned much, or better said, now I really know that I will have to learn much more about Security.
try out www.snort.org. ok, thanks.
I saw the draft. I think you're making yourself an unnecessary hard life with that proxy running 2 eths. Place the proxy INTO the DMZ not in front of it. <snip> ok, changed and uploaded.
He'll do well changing that in the near future. I try to convince him, but I think that won't help much. Because he gets paid very bad and so he is not very motivated to learn Linux in his freetime. I for myself will or want to learn it, just because I am interested in it, but I think he isn't really interested in it, he just wants a secure network and a time without very much stress (what I can also understand, if would get paid that bad.).
and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
It's not about being lame. It's bad for you keeping these windoze boxes uptodate all the time. I very well remember what nimda did to my win2k www server. No anti virus software ever will help you no matter how new the patterns are. Same problem here, he was very stressed the last month and so he decided to create that group. Well, the Nimda problem still exists, and he tries to solve that with Norton Antivirus Corporate Edition. I told him, that this wouldn't help him to get a better time, but he didn't want to hear. I mean Norton is surely a good product but it would be the same if you want to repair a ship that has holes and is swimming around in the ocean, and would try to fill the holes with crates so that no water can come in. I think it would be better to throw away this ship, design a new one (without the holes) and create it.
Oh, is it a http/https/ftp proxy? Or what services do you intend to run on it? As far as I know it should be a http and ftp proxy.
FreeBSD and Linux. Well sounds like very much work. But thank you for your suggestions.
Bye, Christoph
It's possible to do the frontpage extensions on unix then on Windows... The other alternative would be to have an internal www win2k with frontpage and mirror say every hour or ten minutes or whatever to the dmz apache server. Kids can edit and check pages in real time, they show up online relatively promptly. It will save you a lot of grief. -Kurt
that's a very nice idea. thanx Philipp
It's possible to do the frontpage extensions on unix then on Windows... The other alternative would be to have an internal www win2k with frontpage and mirror say every hour or ten minutes or whatever to the dmz apache server. Kids can edit and check pages in real time, they show up online relatively promptly. It will save you a lot of grief.
-Kurt
I saw the draft. I think you're making yourself an unnecessary hard life with that proxy running 2 eths. Place the proxy INTO the DMZ not in front of it. <snip> ok, changed and uploaded.
<going into technical details> Proxy Fine. And now you make the proxy a Linux box running Squid http/ftp proxy. It's easy to set up, it's not Windows and therefore it's more secure. Technical Detail: You have to learn about passive ftp if you want to run a Squid proxy. If you want to save up this proxy box in your draft, you can put Squid on the firewall protecting your internal LAN. Mail Filter Attachment filtering can happen on the mailserver itself. If you set up an exchange server, attachment filtering is well supported. if you don't need the functionality of exchange server, then set up a linux box running postfix for smtp and some pop3 server. Postfix mailer daemon is ultra easy to set up and is very nice for filtering attachments. Moreover postfix is quite secure. Philipp
<going into technical details> Proxy Fine. And now you make the proxy a Linux box running Squid http/ftp proxy. It's easy to set up, it's not Windows and >therefore it's more secure.
Uhhh. Yeah... I seriously wonder if it's time to start moderating this list, or perhaps for suse to create a suse-abvocacy list. -Kurt
Christoph, just a suggestion with the Windows IIS: You don't Have to use it. There are some very good solutions out there, if ASP and Frontpage are the only reason. The FrontPage extensions are available for Apache since years, so actual they are running w/o bigger problems. I don't know about the security, but - hey - you want to run an IIS.... ;) For ASP there are some tools around and AFAIK a module for Apache too. I personally prefer the Halcyoon Instant ASP. It's not for free, but it provides a nearly complete Support for all kinds of ASP's. However, the better way for the near future might be to switch to PHP for scriptings.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. The problem is that our administrator doesn't know much about Linux, and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
Just my 2 cents... Cheers, Ralf * * Ralf 'coko' Koch * mailto:info@formel4.de * --- Gute Nachricht: Windows 2000 ist 100% kompatibel. Die weltweit besten Forscher suchen nur noch, womit.
participants (6)
-
Bjoern Engels -
Christoph Pernsteiner -
Klaus Botschen -
Kurt Seifried -
Philipp Snizek -
Ralf Koch