Solved

General Network Topology/Solution question

Posted on 2004-04-28
5
406 Views
Last Modified: 2010-04-11
I have been given the task to administer the network for a small company operating their own website and online store. Right now their network consists of about 15 computers and 2 servers connected to a Cisco PIX 501, which is connected to a Cisco 1700 to a T1. One server is a WWW/Online Transaction server, the other is an Active Directory/SQL Backend for the www site. Both servers have public IP addresses.

I need someone to tell me if my current plan (below) sounds like a feasable, SECURE setup for this network.

(my plans below)
The T1 goes to the 1700 router, then to the PIX firewall.

Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.

The rest of the network is firewalled completley with 3 subnets, one for the ActiveD/SQL server, one for the client PCs, and one for VPN clients.

The VPN will authenticate using radius on the ActiveD server.

Is this the best, most secure way to set this thing up right?

Thanks,
Matt Ford
0
Comment
Question by:ximbuex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10942027
>Off of the firewall I have the WWW server in a DMZ  w/ a public IP adress.
Good concept, but the PIX 501 has no facility to create a DMZ interface. Smallest one that can is 515e

>The rest of the network is firewalled completley with 3 subnets
What is doing your L3 routing between subnets?



0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 10942047
The main vector of attack I see in this scenario is compromising the DMZ Web server, then seeing if the firewall passes traffic it shouldn’t (i.e. anything that an acceptable query to the AD/SQL server) to the backend.

I would be sure to put an IDS on at least the front-end web server.

I personally would feel more comfortable if the backend wasn't the AD controller, and was just an SQL server.

By VPN I take it you're using the Cisco VPN client to attach to the PIX, then using RADIUS to authenticate with AD for access.
0
 

Accepted Solution

by:
LORD_MINION earned 50 total points
ID: 10942382
2 things. Like lrmoore said, 501 can't L3 route for you.....and your web server is going to get nuked especially if it's Windoze sitting on a DMZ like that.

I would go T-1 into the 1700, then to the 501, then create 2 subnets and a second IP on the 501's internal interface. One subnet for your VPN and Web side and the other for client and server. Then punch only the holes needed through the router and firewall........assign your multiple public IP's to your router and NAT them through to the firewall. Let the firewall be the packet gatekeeper, this way if someone DDOS's ya the router will just route back the packets (what it's designed to do) and the firewall will drop them (like it's designed to do). If you let the router do the drop work then it will almost surely nuke your poor little 1700. The 501 can take a bit more of this since it's designed to do this. The rest you got right with the Radius and VPN.......it's a fairly easy config.

Simply put don't trust software to secure your webserver and let hardware do the job it's cut out for.
0
 

Author Comment

by:ximbuex
ID: 10944710
Thanks for the replies, let me see if I have this right...

The only aspect of the network that has public ip addresses is the firewall, then for example, direct one ip's traffic to the webserver, but only allow web specific traffic to pass through to that server, use another public ip for vpn traffic only.

From what I have read its better to let the firewall handle the vpn stuff and only use windows to authenticate, that way the server isn't dealing with any load from that.

Is there any good websites you guys would recommend to read further to help me me understand this stuff better to make decisions? I took a year of CCNA classes in high school, but that was 5 years ago...now that I am starting to actually apply this stuff in a real job I need to get my skills back up to par quickly.

Thanks again,
Matt
0
 

Author Comment

by:ximbuex
ID: 10944725
I forgot to mention, the PIX firewall is currently handling the dhcp & NAT for the network, is that something that would be better if the 1700 did that?

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question