Re: [Leaf-user] DMZ Options - additional questions
> OK, but how does the network setup look on the webserver? I envisioned > something like: > > IP=192.168.1.100 > Mask=255.255.255.0 > GW=192.168.1.2 (eth2 on LEAF box) > How would SMTP know to forward to the ISA server? > > I guess I could point the SMTP server on the protected box to point to the > external interface of the ISA server, who would be listening for SMTP > traffic from that IP. {guess I just answered my own question} > > BTW, ISA = Microsoft Internet Security & Acceleration Server 2000 > > If I set up the LEAF server as a more typical setup with a different subnet > for the DMZ, the default rules would not allow communication to the > protected network (eth1 internal) right? Internal could initiate > communications with the DMZ, but not vise versa, correct? That was what I > was going to do initially, but was pretty sure it would fail. If this is a > better way, perhaps I could craft some rules that said essentially, the only > traffic that could be routed to the internal network is SMTP traffic and ISA > message filter DCOM traffic. This all makes sense, until I get to the end, where you indicate you want to push SMTP (and other) traffic to your internal net. The whole point of having a screened subnet or DMZ is to keep public servers *OUT* of your internal net. It's almost always possible to restructure a network that requires inbound connections so that inbound connections are only permitted on the DMZ. > Back to the screened subnet, all on the same subnet as first described. So > any inbound comm allowed would head to the internal network, and then be > forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP, etc. > The second firewall (ISA) would then decide whether or not to allow inbound > to the real internal network. For example, I also want to setup a VPN > eventually. The access would be allowed/denied from the ISA server who > would have access to Active Directory domain info. Again, all forwarding > could be accomplished by rules at the LEAF box. > > Does that sound like I am on the right track? It's really hard to tell...it sounds like you're running an e-mail server BEHIND the ISA, on your internal net. If so, this is a *REALLY BAD IDEA*, and pretty much defeats the whole purpose of a screened subnet architecture. Your comments about VPN, however, are correct...you could easily setup the ISA to be a VPN gateway for the "real" internal subnet. BTW: What you refer to as "internal network" above (the network between the Dachstein box and the ISA) should be called the "screened subnet", although you'll still have to use the INTERN_* variables in network.conf to configure it :-/ If you don't have a copy already, pickup O'Reilly's "Building Internet Firewalls" and take a look at chapter 6, "Firewall Architectures". It's an excellent resource when trying to design "safe" network architectures, and includes excellent (and very readable) descriptions of architectures that "work", and archectures to avoid (often for subtle, non-obvious reasons). If you want general advice from the list, you're going to have to provide a lot more detail about exactly what you're trying to accomplish...I've tried to make what comments I could, but it's hard trying to read between the lines and figure out what services you're running where... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options - additional questions
> I would like to build on this DMZ discussion and combine it with a post that > Matt had a few days ago. > My situation is that I am going to impliment a DMZ with the private switch, > and have a second firewall (MS ISA server) between the DMZ and internal > network. > > Here is a lame pic of what I want to do: > > Internet > | > | > | > |eth0 (IP assigned from RR) > LRP Box > | | > | |eth1(192.168.1.2) > | | > | |_ 192.168.1.0/24 DMZ > | > eth2 (192.168.1.3) > | > 192.168.1.1 ISA ext. nic > 192.168.0.1 ISA int. network > | > | > Internal network (192.168.0.0/24) > > OK, now what I was thinking was, that the eth1 and eth2 would be on the same > subnet. This way, updating the web server from the internal network would > be fairly easy, because the internal nets default gateway is the ISA server, > and the external nic on the ISA server has a default gateway of the LRP box. > Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ > server, they are still removed from the internal net by the ISA server. > > I want to allow the DMZ box access to a Access database on the internal > network (read only) and the DMZ box also needs access to relay SMTP messages > to an internal Exchange box. The DMZ box is a W2K server running IIS and > SMTP w/ ISA's message screener. (Everything is patched :-) > > Anyway, what do you all think? Any flaws you can see in this plan? > > I appreciate all the feedback you can give You don't want to use a DMZ setup in this case. The architecture you're describing is essentially another form of a screened subnet architecture, only using two routers (the default DMZ setups in Dachstein are also screened subnet architectures, but use a single router). Basically, the "internal net" from the Dachstein box's perspective is your "screened subnet". Any systems needing inbound connections from the internet go on this network. Also connected to the screened subnet is your second firewall/router (ISA), which I'm assuming means "Internet Sharing Appliance". There's nothing fundamentally wrong with this architecture, other than requiring two boxes, but if you've already got the existing ISA configured, and don't want to change your existing internal network configuration while adding a protected server system, it's a good way to go. Basically, you should wind up with the following setup: Internet | eth0 LEAF Box eth1 | Hub/Switch || |\-- Server system(s) | ISA | Internal network Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options - additional questions
On Friday 08 March 2002 06:25, Tony wrote: > Good Morning, > > I am resending a message that got no response the last time, I would > appreciate any input anyone might have. I apologize! Unfortunately, it won't work with eth1 and eth2 (or any routed subnets on the same subnet). In other words, to NAT and access each other, the NICs must be on different subnets to allow routing. The diagram implies addressing that would not be possible to route on _any_ router. What _might_ work, is running the ISA firewall as a seperate link itself inbetween the DMZ and the internal subnet. This would assume a standard addressing scheme for the internal net and DMZ (ie... 192.168.1.x for internal and 192.168.2.x for DMZ). I can't honestly tell you how well this would work, or imply that it is very secure, but in the past some people have been known to get this functional. I'm assuming that your using Dachstein, since your basing some of this post from one of Charles' post. This brings another "gotcha" into the picture. If you plan on changing the internal net addressing from 192.168.1.0, you will have to change every LAN capable service by hand to reflect this. These services include dhcpd, dnscache, weblet, and possibly others. I think the default install requires changes in seven places, so be aware. I hope this helps! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DMZ Options - additional questions
Good Morning, I am resending a message that got no response the last time, I would appreciate any input anyone might have. I am going to try and impliment this on Sunday. Thanks in advance Tony Good Evening, I would like to build on this DMZ discussion and combine it with a post that Matt had a few days ago. My situation is that I am going to impliment a DMZ with the private switch, and have a second firewall (MS ISA server) between the DMZ and internal network. Here is a lame pic of what I want to do: Internet | | | |eth0 (IP assigned from RR) LRP Box | | | |eth1(192.168.1.2) | | | |_ 192.168.1.0/24 DMZ | eth2 (192.168.1.3) | 192.168.1.1 ISA ext. nic 192.168.0.1 ISA int. network | | Internal network (192.168.0.0/24) OK, now what I was thinking was, that the eth1 and eth2 would be on the same subnet. This way, updating the web server from the internal network would be fairly easy, because the internal nets default gateway is the ISA server, and the external nic on the ISA server has a default gateway of the LRP box. Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ server, they are still removed from the internal net by the ISA server. I want to allow the DMZ box access to a Access database on the internal network (read only) and the DMZ box also needs access to relay SMTP messages to an internal Exchange box. The DMZ box is a W2K server running IIS and SMTP w/ ISA's message screener. (Everything is patched :-) Anyway, what do you all think? Any flaws you can see in this plan? I appreciate all the feedback you can give Thanks Tony > > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > Proxy > > NAT > > Private... > > > > Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > to the external interface of your firewall > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > your ISP. The firewall essentially "glues together" two identical network > segments, allowing your DMZ systems to be configured with public > IP's (just > like they were connected directly to your upstream modem), but > still having > the protection of a firewall. > > NAT - Similar to a Proxy-ARP setup, but uses static-NAT > translation instead. > Each DMZ system is configured with a private IP, and a > translation table is > built, converting public IP's to the private IP of your DMZ systems. > > PRIVATE - This architecture is unique...it port-forwards specific services > to DMZ machines, which have private IP's. The main benifit is you don't > have to have multiple IP's assigned to be able to implement this form of > DMZ. > > NO - No DMZ > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DMZ Options - additional questions
Good Evening, I would like to build on this DMZ discussion and combine it with a post that Matt had a few days ago. My situation is that I am going to impliment a DMZ with the private switch, and have a second firewall (MS ISA server) between the DMZ and internal network. Here is a lame pic of what I want to do: Internet | | | |eth0 (IP assigned from RR) LRP Box | | | |eth1(192.168.1.2) | | | |_ 192.168.1.0/24 DMZ | eth2 (192.168.1.3) | 192.168.1.1 ISA ext. nic 192.168.0.1 ISA int. network | | Internal network (192.168.0.0/24) OK, now what I was thinking was, that the eth1 and eth2 would be on the same subnet. This way, updating the web server from the internal network would be fairly easy, because the internal nets default gateway is the ISA server, and the external nic on the ISA server has a default gateway of the LRP box. Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ server, they are still removed from the internal net by the ISA server. I want to allow the DMZ box access to a Access database on the internal network (read only) and the DMZ box also needs access to relay SMTP messages to an internal Exchange box. The DMZ box is a W2K server running IIS and SMTP w/ ISA's message screener. (Everything is patched :-) Anyway, what do you all think? Any flaws you can see in this plan? I appreciate all the feedback you can give Thanks Tony > > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > Proxy > > NAT > > Private... > > > > Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > to the external interface of your firewall > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > your ISP. The firewall essentially "glues together" two identical network > segments, allowing your DMZ systems to be configured with public > IP's (just > like they were connected directly to your upstream modem), but > still having > the protection of a firewall. > > NAT - Similar to a Proxy-ARP setup, but uses static-NAT > translation instead. > Each DMZ system is configured with a private IP, and a > translation table is > built, converting public IP's to the private IP of your DMZ systems. > > PRIVATE - This architecture is unique...it port-forwards specific services > to DMZ machines, which have private IP's. The main benifit is you don't > have to have multiple IP's assigned to be able to implement this form of > DMZ. > > NO - No DMZ > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user