Solved

General Network Topology/Solution question

Posted on 2004-04-28
5
402 Views
Last Modified: 2010-04-11
I have been given the task to administer the network for a small company operating their own website and online store. Right now their network consists of about 15 computers and 2 servers connected to a Cisco PIX 501, which is connected to a Cisco 1700 to a T1. One server is a WWW/Online Transaction server, the other is an Active Directory/SQL Backend for the www site. Both servers have public IP addresses.

I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.

(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.

Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.

The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.

The VPN will authenticate using radius on the ActiveD server.

Is this the best, most secure way to set this thing up right?

Thanks,
Matt Ford
0
Comment
Question by:ximbuex
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10942027
>Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.
Good concept, but the PIX 501 has no facility to create a DMZ interface. Smallest one that can is 515e

>The rest of the network is firewalled completley with 3 subnets
What is doing your L3 routing between subnets?



0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 10942047
The main vector of attack I see in this scenario is compromising the DMZ Web server, then seeing if the firewall passes traffic it shouldn’t (i.e. anything that an acceptable query to the AD/SQL server) to the backend.

I would be sure to put an IDS on at least the front-end web server.

I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.

By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
0
 

Accepted Solution

by:
LORD_MINION earned 50 total points
ID: 10942382
2 things. Like lrmoore said, 501 can't L3 route for you.....and your web server is going to get nuked especially if it's Windoze sitting on a DMZ like that.

I would go T-1 into the 1700, then to the 501, then create 2 subnets and a second IP on the 501's internal interface. One subnet for your VPN and Web side and the other for client and server. Then punch only the holes needed through the router and firewall........assign your multiple public IP's to your router and NAT them through to the firewall. Let the firewall be the packet gatekeeper, this way if someone DDOS's ya the router will just route back the packets (what it's designed to do) and the firewall will drop them (like it's designed to do). If you let the router do the drop work then it will almost surely nuke your poor little 1700. The 501 can take a bit more of this since it's designed to do this. The rest you got right with the Radius and VPN.......it's a fairly easy config.

Simply put don't trust software to secure your webserver and let hardware do the job it's cut out for.
0
 

Author Comment

by:ximbuex
ID: 10944710
Thanks for the replies, let me see if I have this right...

The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.

From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.

Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.

Thanks again,
Matt
0
 

Author Comment

by:ximbuex
ID: 10944725
I forgot to mention, the PIX firewall is currently handling the dhcp & NAT for the network, is that something that would be better if the 1700 did that?

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now