ximbuex
asked on
General Network Topology/Solution question
I have been given the task to administer the network for a small company operating their own website and online store. Right now their network consists of about 15 computers and 2 servers connected to a Cisco PIX 501, which is connected to a Cisco 1700 to a T1. One server is a WWW/Online Transaction server, the other is an Active Directory/SQL Backend for the www site. Both servers have public IP addresses.
I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.
(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.
Off of the firewall I have the WWW server in a DMZ w/ a public IP adress.
The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.
The VPN will authenticate using radius on the ActiveD server.
Is this the best, most secure way to set this thing up right?
Thanks,
Matt Ford
I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.
(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.
Off of the firewall I have the WWW server in a DMZ w/ a public IP adress.
The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.
The VPN will authenticate using radius on the ActiveD server.
Is this the best, most secure way to set this thing up right?
Thanks,
Matt Ford
The main vector of attack I see in this scenario is compromising the DMZ Web server, then seeing if the firewall passes traffic it shouldn’t (i.e. anything that an acceptable query to the AD/SQL server) to the backend.
I would be sure to put an IDS on at least the front-end web server.
I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.
By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
I would be sure to put an IDS on at least the front-end web server.
I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.
By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies, let me see if I have this right...
The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.
From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.
Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.
Thanks again,
Matt
The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.
From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.
Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.
Thanks again,
Matt
ASKER
I forgot to mention, the PIX firewall is currently handling the dhcp & NAT for the network, is that something that would be better if the 1700 did that?
Good concept, but the PIX 501 has no facility to create a DMZ interface. Smallest one that can is 515e
>The rest of the network is firewalled completley with 3 subnets
What is doing your L3 routing between subnets?