Solved

DMZ - LAN - VLAN -  Servers need communicate!

Posted on 2004-10-07
7
912 Views
Last Modified: 2008-01-16
Hi , I have to find a fast fix for the below so appreciate anyones help or advice -

Current scenario -
1 x SonicWALL TZ170 Enhanced OS
1 x LAN (192.*.*.*)
1 x DMZ (10.*.*.*)
1 x 10MB lan extension (connects 2 offices with private circuit)

I have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. Obviously the DMZ servers have a different gateway than the one on the LAN -
The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with 10.10.10.*address is unpingable from anywhere which is causing me great problems.
Physical location's restrict me from adding the 3rd server to the DMZ so I temporarily added it to the LAN domain as above to test, with no joy. I could simply give the 3rd server a LAN address (192.168.45.*) and create a rule to allow the servers in the DMZ to talk to the server on the LAN but I feel security may be compromised if I do this...

FYI - The FireWALL/DMZ/DMZ Servers are on one end of a Lan Extension Circuit, whilst the single server is on the other, hence the reasons I cannot add it to the DMZ..

Thanx
G

UPDATE -
Could I create a VLAN on the LAN switch as follows?

                       Port 20                                             Port 20
Server1>>>>Lan Switch<----------VLAN------------->Lan Switch<--------->DMZ<--------->Server2
1 - at server1 end I patch the server to port 20 (Enable VLAN)
2 - at server 3 end I patch the port 20 (Enable VLAN) into the DMZ switch

Am I going mental or would this work?

Cheers
G
0
Comment
Question by:gary_b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12276831
I am unsure what you mean by a "Lan Extension Circuit".  WHat devices are at each end of this circuit?  What is the speed of this circuit?  Also please describe your switches(make/model)?
0
 

Author Comment

by:gary_b
ID: 12277264
Hi,
A "Lan Extension Circuit" is simply a 10MB private circuit which connects our 2 offices. This is completely private and not on the internet. At each end of the circuit are 2 Nortel Baystack 470 switches which have VLAN capability.
Cheers
Gary
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12278257
I am not quite clear on your network layout so you may want to re-do your net diagram above shwoing the firewall and the server in question.

>The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with >10.10.10.*address is unpingable from anywhere which is causing me great problems.

...this is a new server that is addressed with a 10.10.10.0/24 address? Is it connected to your DMZ switch?

If you have only layer 2 switches on your network ist seems that you only have two networks: your internal LAN on 192.X and another on the DMZ as 10.10.01.0/24.  Remember for traffic to get from one network to another requires that the traffic be routed.  The Sonicwall provides a routing function.  If you have layer 3 switches or another routing device you will be able to create more networks.
0
Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

 

Author Comment

by:gary_b
ID: 12278834
Hi again & thanx for your help -
LAN SWITCH >>LAN PCS (192.68.*.*) <<FIREWALL>>DMZ SWITCH >>SERVER 1(10.10.*.*)

I allow all traffic from LAN to DMZ but none from DMZ to LAN...
Now at another office (connected as above -10MB circuit) I have SERVER2 which hangs off another LAN switch and is also on a 10.10.*.*. Because I cannot physically patch this into the DMZ switch it is sitting on the LAN but cannot speak to any of the other LAN clients or indeed SERVER1 in the DMZ. Thats where my problem lies. I need SERVER1 to transactionally send its data out of the DMZ & into SERVER2 on the LAN . I want try and create a VLAN through the switches perhaps enabling me to directly patch into the DMZ or am open to any other suggestions which will allow me to retain LAN security whilst also allowing the servers to communicate...

Sorry if I am being thick, but I cant see the wood for the trees at present...Ive been looking at this scenario too long!!

Cheers
Gary



0
 
LVL 5

Expert Comment

by:netspec01
ID: 12279038
The extended LAN segment is connected directly to the DMZ switch correct?  All host on your DMZ segment are addressed 10.10.10.0/24 correct?

Remember VLANs are the same as networks.  To communicate between VLANs you have to have a router or device acting as a router.
0
 

Author Comment

by:gary_b
ID: 12279126
Hi,
The extended LAN segment is in no way connected to the DMZ switch. It is connected to the local LAN switch via a 10MB circuit. All hosts inside DMZ are 10.10.10.0/24...

Quite simply if I cannot connect the a server within "extended LAN segment " to the DMZ ("local LAN segment ") I will be forced to leave the server on the LAN, in turn compromising LAN security because I will have to allow traffic from DMZ>>LAN..

Is there any other way to acheive this in your opinion?

G
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 500 total points
ID: 12279226
Yes, there is a compromise is security in doing this.  I think the best you can do is to have a very tight security policy on your firewall, lock down the host, keep it patched and monitor.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question