Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

General Network Topology/Solution question

Posted on 2004-04-28
5
Medium Priority
?
411 Views
Last Modified: 2010-04-11
I have been given the task to administer the network for a small company operating their own website and online store. Right now their network consists of about 15 computers and 2 servers connected to a Cisco PIX 501, which is connected to a Cisco 1700 to a T1. One server is a WWW/Online Transaction server, the other is an Active Directory/SQL Backend for the www site. Both servers have public IP addresses.

I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.

(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.

Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.

The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.

The VPN will authenticate using radius on the ActiveD server.

Is this the best, most secure way to set this thing up right?

Thanks,
Matt Ford
0
Comment
Question by:ximbuex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10942027
>Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.
Good concept, but the PIX 501 has no facility to create a DMZ interface. Smallest one that can is 515e

>The rest of the network is firewalled completley with 3 subnets
What is doing your L3 routing between subnets?



0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 10942047
The main vector of attack I see in this scenario is compromising the DMZ Web server, then seeing if the firewall passes traffic it shouldn’t (i.e. anything that an acceptable query to the AD/SQL server) to the backend.

I would be sure to put an IDS on at least the front-end web server.

I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.

By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
0
 

Accepted Solution

by:
LORD_MINION earned 150 total points
ID: 10942382
2 things. Like lrmoore said, 501 can't L3 route for you.....and your web server is going to get nuked especially if it's Windoze sitting on a DMZ like that.

I would go T-1 into the 1700, then to the 501, then create 2 subnets and a second IP on the 501's internal interface. One subnet for your VPN and Web side and the other for client and server. Then punch only the holes needed through the router and firewall........assign your multiple public IP's to your router and NAT them through to the firewall. Let the firewall be the packet gatekeeper, this way if someone DDOS's ya the router will just route back the packets (what it's designed to do) and the firewall will drop them (like it's designed to do). If you let the router do the drop work then it will almost surely nuke your poor little 1700. The 501 can take a bit more of this since it's designed to do this. The rest you got right with the Radius and VPN.......it's a fairly easy config.

Simply put don't trust software to secure your webserver and let hardware do the job it's cut out for.
0
 

Author Comment

by:ximbuex
ID: 10944710
Thanks for the replies, let me see if I have this right...

The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.

From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.

Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.

Thanks again,
Matt
0
 

Author Comment

by:ximbuex
ID: 10944725
I forgot to mention, the PIX firewall is currently handling the dhcp & NAT for the network, is that something that would be better if the 1700 did that?

0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question