Aaron,
#Proposed network layout:
#- Setup IP filtering on Router to Internet
#- Behind the router will then be the DMZ (is this correct? Should I setup
a
#firewall behind the router and then the DMZ?)
#- In the DMZ I will have my Web Servers, Mail Server, DNS, and FTP.
#- Behind the DMZ is the firewall ( I haven't decided which one to use
#yet...probably FW-1 NT)
#- This firewall will use NAT to make internal network "invisible" and use
#192.168.x.y addresses for internal workstations.
There are many ways to set up a dmz. It can be a network between a
filtering router and a firewall or you can have a firewall with 3 network
cards and hang the dmz off of the third network card. I would hang the dmz
off of a third network card on the firewall since this will allow the
firewall to protect your web servers as well as the internal network. I
think FW-1 on the Nokia platform may be a better choice than on the NT
platform. Nokia has hardened their stripped down version of BSDI (I
believe that is the OS they used) so it should be more secure than a
default install of NT.
#1) How can I set this up so my Developers can still browse with Windows
Explorer to a #mapped drive on a server in the #DMZ?
If your web servers and developers are on the same network then you do
not need to do anything. If there will be a firewall between your web
servers and developers then you will need to open the appropriate TCP and
UDP ports in the access control list. TCP and UDP ports 137-139 should be
enough to get drive mapping to work. This is a list of ports used by NT
and what they are used for.
Windows NT V4.0
Browsing UDP:137,138
DHCP Lease UDP:67,68
DHCP Manager UDP:135
Directory Replication: UDP:138 TCP:139
DNS Administration TCP:139
DNS Resolution UDP:53
Event Viewer TCP:139
Logon Sequence UDP:137,138 TCP:139
Netlogin UDP:138
Pass Through Violation UDP:138
Performance Monitor TCP:139
PPTP TCP:1723 IP Protocol:47
Printing UDP:137,138 TCP:139
Registry Editor TCP:139
Server Manager TCP:139
Trusts UDP:137,138 TCP:139
User Manager TCP:139
WinNT Diagnostics TCP:139
WinNT Secure Channel UDP:137,138 TCP:139
WINS Replication TCP:42
WINS Manager TCP:135
WINS Registration TCP:137
#2) Should the WINS server be on the internal network? Will WINS help me
in this situation?
The WINS server should definitely be on the internal network. I do
not believe drive mapping has much to do with WINS (but I am a *BSD expert
not an NT expert).
#3) My web servers are multi-homed with up to 100 IPs on a single system,
will this cause any problems for me?
What networks are they multi-homed on? Having one network they are on
protected by a firewall and the other not protected at all doesn't buy you
much network security. Or, if they exist on the external (to your firewall)
and internal networks then you can bypass the firewall through the web
servers.
#4) What software would I use as a Bastion Host, I see the term all the
time, but are there any commercial (or Free) #software/OS packages that
are used for this purpose?
The firewall can do double duty as a bastion host as long as the
operating system it is running on is tightened down. The best
out-of-the-box OS for bastion hosts is OpenBSD (IMHO).
#5) What kind of IP filtering rules should be on my router?
Depends completely on what kind of traffic is being sent to and received
from the internet. Some examples are:
DNS Port 53 UDP (outbound, inbound to dns server)
SMTP Port 25 TCP (outbound, inbound to mail server or firewall)
HTTP Port 80 TCP (outbound, inbound to dmz)
HTTPS Port 443 TCP (outbound, inbound to dmz)
ICMP (outbound)
These will probably be needed at a minimum.
#6) Should I setup a different NT Domain for the servers and one for the
internal workstations? Then Setup a one-way trust #relationship?
If the web servers are on a dmz then it is a good idea to give them their
own domain.
#7) Should I be using NAT on the firewall with private IPs inside, or will
this not allow me to communicate with the NT servers #in the DMZ.
NAT should not interfere with internal workstations communicating with dmz
servers as long as your routing is set up correctly. If your dmz hangs off
of a third network card on the firewall then you do not need to do NAT
between your internal and dmz networks.
#8) Is there anything else I should be concerned about or address when
setting up my security system? (aside from the #obvious ones)
Don't use NT:-)
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
