Strictly Secured Network Design (Any better ways ?) - Basic Network Architecture

Thanks for your reply.

OK, then I can use two firewalls, one after the router (or with the router, as they come in the same device nowadays), and another one after the DMZ. The DMZ in this case will use real ips, correct or wrong ? The firewall before the DMZ will will allow all traffic to all ports to the DMZ computers which have either one real ip address, or have a mapping in the firewall between a real ip address and their internal network address (192.168.2.1). Then, a firewall after the DMZ, which have the two networks connected to it, A and B ? Each has it's own hub/switch, and different net address, and how would they connect to each other ?

I think it is a good idea to have two firewalls, may be three if required. I just need more information if possible.

Thanks for your help again.


Regards,

it can use real ip's or use nat. this is your choice. in the case you want to use real ip's, then you need to be aware that your router/firewall will need to work as a "bridge firewall". and that's all.

I advise you to block ports and connections in the first firewall, allowing only the specified traffic to each host. for instance, the mail server need to have open ports 25, 110, 143, and maybe port 80, but of course do not need port 23 (telnet) or port 21 (ftp) I allways advise to leave open port 22 (ssh) if your servers are unix/linux based.

But the second firewall need to do NAT.  also you can forward between networks, like this
all traffic from B can see C
C can only answer to B
C.onlythishost can connect to B and to Internet
Filter host B.onlythisotherhost to not access anything but net B.

Of course Net B and C have their own HUB/SWITCH, and only one wire from the switch connects to the firewall. it happends the same with Net A, since it has many servers, you can use a HUB. I would preffer a SWITCH, of course =)

this is very easy to do with Linux/IPTABLES, and only takes one PC with three LAN Cards. think on it.

Regards

Thanks again,

How can you control that C can only answer B, nothing else, and such rules, is it through iptables ? In theory how do you implement it?

Thanks,

yeap. very easy.

iptables -A INPUT -s networkB/mask -d networkC/mask -j ACCEPT
iptables -A INPUT -s networkC/mask -j DENY
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(no the the -m state --state ESTABLISHED,RELATED -j ACCEPT, which assures every connection you allow, can have any connection related open. with this, any connection from netB will be answered because the firewall is stateful and will allow the connection back with the response)


and this is managing only the INPUT chain. you can do more things easily.

Why not give www.shorewall.net a glance? Best firewall script i have seen for linux, and it comes pre configured for a 3-Interface system (You need four interfaces, but that is just as easy).

Thanks j2,

I am reading this now (shorewall) and seems interesting, but I am not sure if this is the best option to implement here, is it going to be secure, how could this be integrated with routers that have firewalls in them, and could this be secure if we have all the interfaces on one routers (single point of failre ?)

Thanks,

Why do you need to "integrate with routers that have firewalls in them"? Regardless of how you do this, the rules of _all_ devices between two endpoints will be cumulative. So i must say i do not understand your question. Shorewall is definitely as secure as anything you come up with in your own rule-sets.

You will have 4 zones

Net  Internet
DMZ Demilitarized Zone
LAA  Lan A
LAB  Lan B

What _i_ would do is to disable the firewall in your external router, and just use shorewall, then you can use Proxy-ARP for the DMZ which extremely nice. (Granted, you could keep the firewall, but then you would have to edit two rulesets to implement a rule)

But to address your questions in your original post

1. What do you mean "router shoudl only accept traffic from A" why would yo uwant clients to communicate with your router? Do you mean "Only clients in LAN-A should be able to access the internet, and C should not be able to do anything",

The we have the policies

LAA NET ACCEPT
ALL ALL REJECT

or do you mean that "Lan A and lan B should be able to access internet, but Lan B should not be able to access LAN-A?"

LAA NET ACCEPT
LAB NET ACCEPT
ALL ALL REJECT

or should LANA be able to talk to LANB _and_ to internet, but LANB only talk to internet.

LAA NET ACCEPT
LAB NET ACCEPT
LAA LAB ACCEPT
ALL ALL REJECT

See how easy shorewall is with policies?

Now, of course you can use the RULES file to make exceptions.. Lets say that LANB should be allowed to talk to LANA, but only on port 80

ACCEPT LAB LAA tcp 80

Now, you can mask it with source IP, destination IP et all, so its really flexible.


2. Just tell the shorewall to enable IP_FORWARDING, and it will do it all for you.

3. Just one resolver needed, just create a rule so each zone can talk to it, lets say that the DNS server is 10.10.10.10 and is in DMZ

ACCEPT all DMZ:10.10.10.10 udp 53
ACCEPT all DMZ:10.10.10.10 tcp 53

Done. (This also accepts trqffic from the internet to that server, but that is normally what you expect.


4. This _is_ a firewall between each network, since all zones have independant rules

5. I prefer DHCP, regardless of size/architecture

8. See answer (2) and (4)

9. See all of above ;)

10. The system running shorewall

11. By editing "policy" and "rules"

12. That question is not really a relevant question, since it is a composit of all of the above.

I have used shorewall in commercial enviroments with anything from between 1 to 400 clients, and 2 up to 16 zones, its a very potent system.

And of course shorewall has antispoofing, MAC-filtering, support for IPSec and OpenVPN tunnels, an very firendsly and active user list et. al.

your concern about a single point of failure is right, but then you must have two internet connections.
shorewall will do the job as long as it is an iptables script and it's already preconfigured. if you are concerned about having a replacement, you always can have a second pc ready to take the job of the box with second firewall. also must have a contract to cover your router/firewall with priority support.

with that, you should feel secure enough =)

Thanks for your comments.

What about using Checkpoint Firewall on a single pc, would that be a better option ?
Things like SPI, SmartDefense would they provide better security options and setup options ?
Apart from the cost, would it be a better alternative, or can I achieve the same results with shorewall (ip tables ...etc)


Thanks,

j2 is right.

maybe it cost more effort to have everything done in Linux+iptables, but with the Shorewall and other scripts you can have this step almost given

do this have a nice web menu or windows menu? no. it doesn't. but remember: security is inside the kernel of linux. (the netfilter core) while in windows is a vxd. and you should already know about the stability with windows.

Actually, FW-1 is _far_ from a VXD.. but still.

Ok, will start working on the shorewall.

My first point is the router, which has a firewall, then I will have the shorewall router / fw after the first router. Can I enable the DMZ feature of the router, and map the shorewall router to an external address outside on the first router ? eg. a.b.c.d --> 192.168.1.1.
But then, how can I define my DMZ in the shorewall router, should I give it another network range, or use the same range, I am a bit confused here:

Router / FW -- >    Shorewall FW & Router  ------------------------------> Network B
                               |              |    
                              DMZ        Network C

Can I do this and how to handle the DMZ network addresses ?

Thanks

Just to continue on the previous part, I already have 5 ip's to use, one is for my first router / fw. Then, how in this case can i use the rest of them in the DMZ.
I think I have two options:
1. to place the DMZ before the shorewall, and after my first router, but in this case how can I track requests from the DMZ to internal network C for example. I can use the MAC address / or ip, but is secure ?
2. to place the DMZ with the shorewall router, in this case, the shorewall router will have control on the DMZ. Will this option be more secure and reliable than the first one ?

In the first option, my router will map the rest of the static ip's to the DMZ. But in the second case, how can this work ?
Can I map address 192.168.1.x (same net as the first router) to an external static ip in the first router tables ? Then how to handle the DMZ in this case, should it take another network, (but I cannot map it from the first router in this case).

Thanks,

Use the DMZ feature f the router if you want, it makes no real difference. But i personally would not.

I would map ALL traffic WITHOUT filtering to the shorewall box. Use Proxy ARP for the DMZ and masq all bulk traffic from the LANs since i assume you do not have enough public IP's for all hosts.

And i am sorry to say this: But

"1. to place the DMZ before the shorewall, and after my first router, but in this case how can I track requests from the DMZ to internal network C for example. I can use the MAC address / or ip, but is secure ?"

That line shows you lack basic networking knowledge. No, you can NOT use the MAC-adress past a router. You have no option part from routing the traffic. This is the case even when using shorewall, or _any_ other set up. You must still instruct your network how to get traffic from point a to point b and back.

Next question, WHY would you allow a host in the DMZ to initiate a connection to a internal host in the first place? Them you have (more or less) elliminated the security advantage of having a DMZ in the first place.

Thanks j2 for your kind reply.

First If I am a net exp, then I wouldn't be going through many of the question on this page, which should be clear.
Second, for a web server /application server running in the DMZ, you have an infrastructure or a backend database to
perform front end / web trans. This is described originally in my question, when I wanted one of the computers in the DMZ to connect to only one specific computer through a specific port, I think this is a general practice in many companies that do trans on the web with a data base that they prefer not to be exposed to the same traffic as a DMZ computer.

Now, let me try to elaborate on your first reply for my lack of understanding ..... as an expert :

If you have computer A--------------> Computer B (Shorewall)

Can't you find  the MAC address of Computer A from Computer B ? (As computer A is connected to computer B, which is running shorewall..)

Thanks,

Actually.. what most companies do (mine included) is to use reverse proxies for SQL and such, which means that the _backend_ server connects to the server in the DMZ, and serves data through that fashion. If the connection i severed, the tunnel is closed, and no traffic will flow until the backend system restores it.

Yes, you can find the MAC-address of system A on the shorewall box. But you can NOT use a MAC-address to route between subnets.

you can use the MAC to filter out a computer to pass traffic to the interface regardless of IP, but you can not use it in routing decisions.

http://www.dotproject.net/

sorry! wrong window =) I was reading (still reading) my mistake

Thanks for your reply.

For reverse proxies, I am not sure how to implement it, do you have any site or docs to read so i can proceed with such an implementation, and know how the transaction initiates .. etc.

Thanks,

Reverse proxies are not a generic thing. You need to know exactly _what_ you need to proxy, and to/from what. Quite frankly, it is not where your focus should be right now. Get the basics up. Then worry about the finer details.

Just a quick one,

when using the shorewall on a server, is it better to run squid on the same server ?
Also is it better to have the DMZ masquarded ? (Some of the examples use dmz masq, some are using it without )?

Thanks

1.- yes, it is better to run squid in the same box, but you must left at least 32MB of RAM for Squid, and also 100MB of hard disk space at least, to take advantage of it

2.- there are two ways of make a DMZ. one is masquerading it (the most easy) while the other is bridging it. the second is very transparent but the first allows you to only forward the ports and protocols you are offering on each server, thus inherently making it more secure.

my advise: let the reverse proxies to the time when you really need them.

A web proxy _should_ live in the DMZ if you ask me, but it CAN live anywhere.

People who use masq for DMZ are usually people with only one public IP-adress. You CAN do this if you want even if you DO have enough public adresses.. but i prefer to have either public IP's proxy-ARPed, or use SNAT.

while SNAT is NAT, anyway.

also it's much more difficult to have a proxy living in the DMZ and at the same time manage ACL's and restrictions by user, etc.


proxy arp it's also nice =)

you can of course have services which live inside the network, and your firewall can handle a hole from the host in the DMZ to the one in the internal LAN, but it's preferable to avoid that. it's much better to have everyone to access services in the DMZ. also it's not bad to have a firewall in each host, and also harden it in order to not run any service which is not needed to run.

database servers are good examples of hosts that generally live inside the network, which are many times accesable trhu the firewall. but it's of course restricted, from a host in the DMZ to the internal database server, and managing a user/password well restricted.

Why would a proxy be more difficult to maintain in the DMZ? If anything it is easier. Also, read my comment on how to properly handle a db backend with an application server in the DMZ.