Solved

General Network Topology/Solution question

Posted on 2004-04-28
5
401 Views
Last Modified: 2010-04-11
I have been given the task to administer the network for a small company operating their own website and online store. Right now their network consists of about 15 computers and 2 servers connected to a Cisco PIX 501, which is connected to a Cisco 1700 to a T1. One server is a WWW/Online Transaction server, the other is an Active Directory/SQL Backend for the www site. Both servers have public IP addresses.

I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.

(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.

Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.

The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.

The VPN will authenticate using radius on the ActiveD server.

Is this the best, most secure way to set this thing up right?

Thanks,
Matt Ford
0
Comment
Question by:ximbuex
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10942027
>Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.
Good concept, but the PIX 501 has no facility to create a DMZ interface. Smallest one that can is 515e

>The rest of the network is firewalled completley with 3 subnets
What is doing your L3 routing between subnets?



0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 10942047
The main vector of attack I see in this scenario is compromising the DMZ Web server, then seeing if the firewall passes traffic it shouldn’t (i.e. anything that an acceptable query to the AD/SQL server) to the backend.

I would be sure to put an IDS on at least the front-end web server.

I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.

By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
0
 

Accepted Solution

by:
LORD_MINION earned 50 total points
ID: 10942382
2 things. Like lrmoore said, 501 can't L3 route for you.....and your web server is going to get nuked especially if it's Windoze sitting on a DMZ like that.

I would go T-1 into the 1700, then to the 501, then create 2 subnets and a second IP on the 501's internal interface. One subnet for your VPN and Web side and the other for client and server. Then punch only the holes needed through the router and firewall........assign your multiple public IP's to your router and NAT them through to the firewall. Let the firewall be the packet gatekeeper, this way if someone DDOS's ya the router will just route back the packets (what it's designed to do) and the firewall will drop them (like it's designed to do). If you let the router do the drop work then it will almost surely nuke your poor little 1700. The 501 can take a bit more of this since it's designed to do this. The rest you got right with the Radius and VPN.......it's a fairly easy config.

Simply put don't trust software to secure your webserver and let hardware do the job it's cut out for.
0
 

Author Comment

by:ximbuex
ID: 10944710
Thanks for the replies, let me see if I have this right...

The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.

From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.

Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.

Thanks again,
Matt
0
 

Author Comment

by:ximbuex
ID: 10944725
I forgot to mention, the PIX firewall is currently handling the dhcp & NAT for the network, is that something that would be better if the 1700 did that?

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now