Re-IP'ing the entire network and using MS Radius

Chriskohn has some good points about the addressing scheme.

1. Consider using DHCP for all your clients, hard-code all servers. Setup your global scopes on the DHCP server. Consider long (30 day) leases as opposed to default 3 day.

2. I would let the PIX do the NAT. This will keep your access-lists much shorter. Setup static NAT addresses with your internal servers (DNS, WEB, mail, etc). This keeps them with private IP addresses that can make it harder for hackers.

3. Setting up MS Windows2k RADIUS for VPN users is a snap:
http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html

4. Using MS PPTP client in addition to Cisco VPN client is also a piece of cake. What version are you using? ver 6.2 has a really nice java GUI that sets almost everything up for you though the Pix Device Manager.

Note: Unless you have 3DES license, your Ms PPTP sessions will only be 40-bit encryption - not very secure. You need the 3DES license to run 128-bit. Even at 56-bit, the standard IPSEC client is more secure. Also, with IPSEC client, YOU can control things like split-tunneling whereas with the PPTP client, all the user has to do is uncheck the box that says use default gateway on remote network and you have just been exposed.

We have a 75 to 100 node network, T1, WAN connection, PIX 515, Cisco 3550 GBit Switches, Cisco 2950 Switches, Printer, VPN... etc etc etc...

I know how the numbers and all scope information along with how to do it... I was just wondering if anyone had a to-do list that was the most effective manner of going about this. Obviously, I change all routers and switches and then goto servers, desktops and printers...  

Thank You to the both of ya for recognizing my effort of moving nameservers to the inside, a good idea over all. I have a small question about that... My internal domain happens to actually be my actuall external FQDN... long story short, I was told to AD integrade the DNS functionality with AD... so my thoughts are I should bring up a new AD\DNS name space and run that way with it internally.
What are yalls thoughts?

Hi again atmear:
I would stick with your current external IP's as before, but translate them to internal addresses this way it will keep things simpler. Chriskohn

Hi again atmear:
I would stick with your current external IP's as before, but translate them to internal addresses this way it will keep things simpler. I don't think you will have to bring up a new AD/DNS name space to do this if you keep the same IP address as before. Chriskohn

I would disagree at this point with Lrmoore about the one to one NAT. This would not impede a hacker as all your doing is translating an internal IP to an external IP but that doesn't stop them from getting to the box. If it were a dynamic nat, that would be a different story. I would leave the live address on it and implement some refined access lists to provide protection to that box. Also, it would be a good idea to put any of those boxes that would require live IP's into a DMZ to keep them separate from the rest of the network.

As for numbering, depending on your ip scheme and how many servers that you have, keep the numbers low for the servers like 10.1.1.1 to 10.1.1.254 and create a subnet of 10.1.2.1 to, lets say, 10.1.10.1 for all of the clients. Put all internet aware servers on a DMZ with a firewall between you and them and just open those holes that you would need to get to them. Why not rule out the Pix altogether and just let it play firewall instead of users connecting via VPN to it? Just put a Windows 2000 server with RRAS in your DMZ, as a matter of fact it could be your WEB server maybe, and then use RADIUS authentication on it to an IAS enabled box on the backside of the firewall? This way you would only need to open a couple holes on your firewall.

Let me ask this?

NAT or Access Lists? Which is safer/better?

I would rather do an access list any day than to do a one to one nat that you get no benefit from. A hacker can still get to the box to do damage because your not doing anything to impede his path, all your doing is changing an internal IP to an external IP, however with access lists you can limit what ports he can get to the machine on. A one to one nat is good if you didn't want to change the IP address of a current box internal to your network, however, you want to make it available to the internet. I would put the machines that need to be available to the internet on a DMZ, use access lists to control access to them, or, put them behind your firewall on another segment and use both access lists and the firewall to protect them.

Hello again atmear:
in answer to your latest question again I will reiterate what I stated before:
If you wish to protect your DNS servers better, placing them inside and doing one to one NAT translations for them is probably a more secure way than having them in the DMZ, and you will still likely have access-control lists protecting them on the outside interface of the PIX. So overall they would be safer.
To implement Radius on a network server rather than locally on the PIX can be done. Here is a link which may help: http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html
Notice again, that I recommended using access-control lists in addition to a one to one NAT trans. I would not recommend only the one to one NAT. Chriskohn

Have any of these comments been of any help to you? Do you need more information?

Hi Atmear,

I have to disagree with moving your DNS to the internal network. I recommend using a split DNS architecture. Leave a DNS server on the outside and only advertise the hosts that need to be seen from outside sources. (i.e. webservers, smtp servers, etc.) If your still uncomfortable with your DNS server on the outside then create an access-list on your external router only allowing port 53 traffic to your DNS server.

Provide a DNS server on the inside for local users. Enable forwarding on the inside DNS server to the outside server to resolve external addresses. Why advertise all your host records to the public if you don't need to. This only helps any potential intruder identify the hosts on your network.

Chris

Well, the project has actually been complete for close to a month, I'll let everyone know what I did.

Keeping in mind that is rather difficult to explain the environment and all the variables that go with it, I will try to recap this all.

BEGINING- I ran an internal network off 192.169.1.X and access lists allowed internet traffic. I already had integrated dns for internal serving. Note- I also ran a bay router that handled traffic for my corporate WAN. On a DMZ I had a single Active Directory DC server that was serving as my web server, ftp server, external DNS server and some other company oriented roles.


MIDDLE- Then came the Re-IP. I needed to re-ip my network because I took on a project where I was bringing up a Citrix Server Farm that would be strictly serving an app to WAN/corporate users. At that point, I had a decision to make, keep my ip addressing the same, or bite the bullet, re-ip to corporate standards and be done with any kind of above and beyond difficulties I could face by having those servers protected in an environment where they did not truly need to be protected. I decided the re-ip would fit my needs greater due to the fact that I am my companies IT dept. 1 Guy + 12 Servers + 60 Users + 45 Desktops + 35 Laptops + taking on this Citrix Farm = Keep it flat and simple. (And ask for a raise) So... Youre probably wondering where in the heck my DNS question came from... Well, Seeing that I was about to reconfig all my Cisco Routers, switches and PIX... and I was about to drop 5 more servers along with 60K worth of other devices/services/software/etc... I had the mentality, why not scope out an over all change in the name of efficiency and manageability. So that brought me here.

END- So this is what I did. I went ahead and brought the Name Servers (DNS) up on two Win2K Servers on my inside network and joined them to my main Domain. I have replication going on between the two of them and everything seems to be working great. Concerning the PIX side of things, I slacked and just did a 1 for 1 NAT, but it does work. I have it in my mind to go back and try to increase security at a later time, but to be honest, I am not really sure how. I mean, I understand the difference between ACL's and NAT, but I am a jack of all trades, but this jack solely depends on Cisco's TAC to assist in any mods I make, because I am not what anyone would call proficient at making major config mods.

LOOKING BACK- In hind sight, I really do not like having those name servers on the inside, it really becomes confusing... primarily due to the fact that my FQDN is my both my companies actual web address and also my Active Directory FQDN. What I think would be an upgrade or advancement to what I have done, would be to create a secondary vlan and shove those servers off to the side and out of the AD Domain.

ADDED NOTE- In a strange twists of events, the CITRIX FARM that was developed and brought online ended coming up in its own AD namespace/domain and not being directly connected to my Domain. (Long story) Soooooo... here is my newest dilemma, I want to protect my domain from corporate (did I say that out loud?) I have a PIX 506 (small PIX) that I am thinking about throwing in between my corp. Bay router and my network and then NATing that through, and here is my question; my network is currently ip'ed similar to this 149.136.196.XXX so in the following scenario: Bay Router-IP_149.136.196.1 connects to new PIX-IP_149.136.196.9, can I easily nat or ACL traffic through my network out to corporate and stop anything from them coming in unless I have routed it via the router?

Second Question- If anyone actually reads this (I hope it is useful) and they have a suggestion as to what I should do or do different, let me know.

Many Thanks to everyone for there help. It will be difficult to choose and actual winner because you have all help is some fashion or another. I will wait for any forthcoming answers, and then award the points.

It appears that you have forgotten this question. I will ask Community Support to force close it unless you finalize it within 7 days.

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **

Please take a moment to revisit this question & reward your points or post additional commentary as appropriate.  Unless there is objection or further activity.

EXPERTS, please feel free to make a recommendation for points award.

If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points.  The link to the Community Support area is:

https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt

** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER **
------------------------------------------------------------------------------------------------