RE: [Leaf-user] DMZ Options - additional questions

[Tony]

Good Morning,

I am resending a message that got no response the last time, I would
appreciate any input anyone might have.

I am going to try and impliment this on Sunday.

Thanks in advance

Tony





Good Evening,

I would like to build on this DMZ discussion and combine it with a post that
Matt had a few days ago.
My situation is that I am going to impliment a DMZ with the private switch,
and have a second firewall (MS ISA server) between the DMZ and internal
network.

Here is a lame pic of what I want to do:

Internet
 |
 |
 |
 |eth0 (IP assigned from RR)
LRP Box
 | |
 | |eth1(192.168.1.2)
 | |
 | |_ 192.168.1.0/24 DMZ
 |
 eth2 (192.168.1.3)
 |
192.168.1.1 ISA ext. nic
192.168.0.1 ISA int. network
 |
 |
Internal network (192.168.0.0/24)

OK, now what I was thinking was, that the eth1 and eth2 would be on the same
subnet.  This way, updating the web server from the internal network would
be fairly easy, because the internal nets default gateway is the ISA server,
and the external nic on the ISA server has a default gateway of the LRP box.
Same with the DMZ box.  Assuming they penetrate the LRP box and hack the DMZ
server, they are still removed from the internal net by the ISA server.

I want to allow the DMZ box access to a Access database on the internal
network (read only) and the DMZ box also needs access to relay SMTP messages
to an internal Exchange box.  The DMZ box is a W2K server running IIS and
SMTP w/ ISA's message screener.  (Everything is patched :-)

Anyway, what do you all think?  Any flaws you can see in this plan?

I appreciate all the feedback you can give

Thanks

Tony








   Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) 
 
  Proxy
  NAT
  Private...
 
  Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc,

 YES - This is a traditional routed DMZ...your ISP routes a block of IP's
 to the external interface of your firewall

 PROXY - A Proxy-ARP DMZ...used if you've got a block of static IP's from
 your ISP.  The firewall essentially glues together two identical network
 segments, allowing your DMZ systems to be configured with public
 IP's (just
 like they were connected directly to your upstream modem), but
 still having
 the protection of a firewall.

 NAT - Similar to a Proxy-ARP setup, but uses static-NAT
 translation instead.
 Each DMZ system is configured with a private IP, and a
 translation table is
 built, converting public IP's to the private IP of your DMZ systems.

 PRIVATE - This architecture is unique...it port-forwards specific services
 to DMZ machines, which have private IP's.  The main benifit is you don't
 have to have multiple IP's assigned to be able to implement this form of
 DMZ.

 NO - No DMZ

 Charles Steinkuehler
 http://lrp.steinkuehler.net
 http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DMZ Options - additional questions

[Charles Steinkuehler]

 OK, but how does the network setup look on the webserver?  I envisioned
 something like:

 IP=192.168.1.100
 Mask=255.255.255.0
 GW=192.168.1.2 (eth2 on LEAF box)
 How would SMTP know to forward to the ISA server?

 I guess I could point the SMTP server on the protected box to point to the
 external interface of the ISA server, who would be listening for SMTP
 traffic from that IP. {guess I just answered my own question}

 BTW, ISA = Microsoft Internet Security  Acceleration Server 2000

 If I set up the LEAF server as a more typical setup with a different
subnet
 for the DMZ, the default rules would not allow communication to the
 protected network (eth1 internal) right?  Internal could initiate
 communications with the DMZ, but not vise versa, correct?  That was what I
 was going to do initially, but was pretty sure it would fail.  If this is
a
 better way, perhaps I could craft some rules that said essentially, the
only
 traffic that could be routed to the internal network is SMTP traffic and
ISA
 message filter DCOM traffic.

This all makes sense, until I get to the end, where you indicate you want to
push SMTP (and other) traffic to your internal net.  The whole point of
having a screened subnet or DMZ is to keep public servers *OUT* of your
internal net.  It's almost always possible to restructure a network that
requires inbound connections so that inbound connections are only permitted
on the DMZ.

 Back to the screened subnet, all on the same subnet as first described.
So
 any inbound comm allowed would head to the internal network, and then be
 forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP,
etc.
 The second firewall (ISA) would then decide whether or not to allow
inbound
 to the real internal network.  For example, I also want to setup a VPN
 eventually.  The access would be allowed/denied from the ISA server who
 would have access to Active Directory domain info.  Again, all forwarding
 could be accomplished by rules at the LEAF box.

 Does that sound like I am on the right track?

It's really hard to tell...it sounds like you're running an e-mail server
BEHIND the ISA, on your internal net.  If  so, this is a *REALLY BAD IDEA*,
and pretty much defeats the whole purpose of a screened subnet architecture.
Your comments about VPN, however, are correct...you could easily setup the
ISA to be a VPN gateway for the real internal subnet.  BTW:  What you
refer to as internal network above (the network between the Dachstein box
and the ISA) should be called the screened subnet, although you'll still
have to use the INTERN_* variables in network.conf to configure it :-/

If you don't have a copy already, pickup O'Reilly's Building Internet
Firewalls and take a look at chapter 6, Firewall Architectures.  It's an
excellent resource when trying to design safe network architectures, and
includes excellent (and very readable) descriptions of architectures that
work, and archectures to avoid (often for subtle, non-obvious reasons).

If you want general advice from the list, you're going to have to provide a
lot more detail about exactly what you're trying to accomplish...I've tried
to make what comments I could, but it's hard trying to read between the
lines and figure out what services you're running where...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user