Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
RE: [suse-security] RFC: Network Setup
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Wed, 6 Feb 2002 07:30:48 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56D22@xxxxxxxxxxxxxxxxx>
> thanks for your replay. You advised me of not connecting the
> administrative
> network to the normal LAN. I understand that there is a
> security risk but
> this was, what I actually wanted to do. The idea was, that I wanted to
> administer the computers from my desktop without interference
> with the
> productive traffic.

If you connect the administrative network to the internal network, you're
circumventing the firewall that separates DMZ and internal network, thereby
creating a side passage into your LAN. That is something you do not want to
do.

To avoid this problem, you'd need a second firewall between the
administrative network and your internal network with at least the same
security enforcement as the one between the DMZ and the internal network.

> > You achieve even more security by employing point-to-point
> > links between the
> > DMZ machines and the those in the management network. Since
> > this becomes
> > impractical quickly if performed based on physical
> > distinction, I often
> > recommend the use of end-to-end IPSec within the management network.
>
> Sorry, but I can't understand this. What do you mean with it?

You've got a number of DMZ machines, such as the firewalls and a couple of
proxies, and a number of machines in the administrative network, e.g. a
syslog server, an NTP server, a backup server and one or more administrative
workstations. If the administrative network is on a shared medium, e.g.
ethernet, fddi or token ring, you have the problem that other nodes can
potentially listen to others' conversations, perhaps even inject traffic
into those conversations or successfully pretend to be one of the other
nodes with malicious intent. This cannot happen if point-to-point links are
used between all nodes that need to communicate. However, physical
point-to-point links don't scale well, you need a separate cable and
interface for every machine and link. Therefore, you can use IPSec to create
virtual point-to-point links by encrypting and authenticating the traffic
between the nodes end-to-end.

Hope that's clearer.

Tobias
< Previous Next >