Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
AW: [suse-security] Offtopic (maybe): Proposal for school network
  • From: "Philipp Snizek" <mailinglists@xxxxxxxxx>
  • Date: Tue, 4 Dec 2001 17:51:52 +0100
  • Message-id: <000001c17ce3$fa09a100$b600000a@xxxxxxxxxxxxxx>
Hi

I don't know what you want to fight off with your design but generally I would not do it like that. I once ran such a design but it caused too much uncontrollable network noise. If you can run with two leased lines (one for the internet servers and one for your LAN) you'll do best. If not, I'd do it like this:

inet
|
|
DMZ ---- Firewall1
|
|
Firewall2
|
|
LAN



1. Logging. Firewall1 logs everything. Firewall2 only logs stuff that tries to penetrate it. This'll keep your Firewall2 logs free of DMZ traffic pollution.
2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller.
3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way.
5. Proxy: You'll be fine running it on Firewall2.
6. diversification: Firewall1 OS <> Firewall2 OS.

HTH
Philipp






>-----Urspr√ľngliche Nachricht-----
>Von: Christoph Pernsteiner [mailto:chriz@xxxxxx]
>Gesendet: Dienstag, 4. Dezember 2001 16:24
>An: Suse Security Mailinglist
>Betreff: [suse-security] Offtopic (maybe): Proposal for school network
>
>
>Hello,
>
>my name is Christoph and I attend a business school. Our school
>administrator formed a working group for network and computer related
>problems. Our first task is to review the existing security system and
>to improve it or create a new one. I worked on a new network design
>for the school network, and I first created a draft. The First version
>of the draft can be downloaded from
>http://www.festlinfo.at/schoolnetwork.jpg. Would somebody be so kind
>and make comments on it or critisize it because I want to improve it.
>I know a little bit about computer security and I want to learn more.
>I excuse for being off topic, but I wanted some experts to review the
>draft.
>
>Have a nice day,
>
>Christoph Pernsteiner
>
>--
>Black holes are where god divided by zero.
>
>
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>


< Previous Next >