Solved

DMZ - LAN - VLAN -  Servers need communicate!

Posted on 2004-10-07
7
856 Views
Last Modified: 2008-01-16
Hi , I have to find a fast fix for the below so appreciate anyones help or advice -

Current scenario -
1 x SonicWALL TZ170 Enhanced OS
1 x LAN (192.*.*.*)
1 x DMZ (10.*.*.*)
1 x 10MB lan extension (connects 2 offices with private circuit)

I have 2 web servers in the DMZ and 1 web server outside the DMZ. All 3 servers are on a 10.10.10.* address and 255.255.255.0 subnet. Obviously the DMZ servers have a different gateway than the one on the LAN -
The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with 10.10.10.*address is unpingable from anywhere which is causing me great problems.
Physical location's restrict me from adding the 3rd server to the DMZ so I temporarily added it to the LAN domain as above to test, with no joy. I could simply give the 3rd server a LAN address (192.168.45.*) and create a rule to allow the servers in the DMZ to talk to the server on the LAN but I feel security may be compromised if I do this...

FYI - The FireWALL/DMZ/DMZ Servers are on one end of a Lan Extension Circuit, whilst the single server is on the other, hence the reasons I cannot add it to the DMZ..

Thanx
G

UPDATE -
Could I create a VLAN on the LAN switch as follows?

                       Port 20                                             Port 20
Server1>>>>Lan Switch<----------VLAN------------->Lan Switch<--------->DMZ<--------->Server2
1 - at server1 end I patch the server to port 20 (Enable VLAN)
2 - at server 3 end I patch the port 20 (Enable VLAN) into the DMZ switch

Am I going mental or would this work?

Cheers
G
0
Comment
Question by:gary_b
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
I am unsure what you mean by a "Lan Extension Circuit".  WHat devices are at each end of this circuit?  What is the speed of this circuit?  Also please describe your switches(make/model)?
0
 

Author Comment

by:gary_b
Comment Utility
Hi,
A "Lan Extension Circuit" is simply a 10MB private circuit which connects our 2 offices. This is completely private and not on the internet. At each end of the circuit are 2 Nortel Baystack 470 switches which have VLAN capability.
Cheers
Gary
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
I am not quite clear on your network layout so you may want to re-do your net diagram above shwoing the firewall and the server in question.

>The 2 servers inside the DMZ can ping each other & are pingable from LAN XP clients. The server on the LAN with >10.10.10.*address is unpingable from anywhere which is causing me great problems.

...this is a new server that is addressed with a 10.10.10.0/24 address? Is it connected to your DMZ switch?

If you have only layer 2 switches on your network ist seems that you only have two networks: your internal LAN on 192.X and another on the DMZ as 10.10.01.0/24.  Remember for traffic to get from one network to another requires that the traffic be routed.  The Sonicwall provides a routing function.  If you have layer 3 switches or another routing device you will be able to create more networks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:gary_b
Comment Utility
Hi again & thanx for your help -
LAN SWITCH >>LAN PCS (192.68.*.*) <<FIREWALL>>DMZ SWITCH >>SERVER 1(10.10.*.*)

I allow all traffic from LAN to DMZ but none from DMZ to LAN...
Now at another office (connected as above -10MB circuit) I have SERVER2 which hangs off another LAN switch and is also on a 10.10.*.*. Because I cannot physically patch this into the DMZ switch it is sitting on the LAN but cannot speak to any of the other LAN clients or indeed SERVER1 in the DMZ. Thats where my problem lies. I need SERVER1 to transactionally send its data out of the DMZ & into SERVER2 on the LAN . I want try and create a VLAN through the switches perhaps enabling me to directly patch into the DMZ or am open to any other suggestions which will allow me to retain LAN security whilst also allowing the servers to communicate...

Sorry if I am being thick, but I cant see the wood for the trees at present...Ive been looking at this scenario too long!!

Cheers
Gary



0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
The extended LAN segment is connected directly to the DMZ switch correct?  All host on your DMZ segment are addressed 10.10.10.0/24 correct?

Remember VLANs are the same as networks.  To communicate between VLANs you have to have a router or device acting as a router.
0
 

Author Comment

by:gary_b
Comment Utility
Hi,
The extended LAN segment is in no way connected to the DMZ switch. It is connected to the local LAN switch via a 10MB circuit. All hosts inside DMZ are 10.10.10.0/24...

Quite simply if I cannot connect the a server within "extended LAN segment " to the DMZ ("local LAN segment ") I will be forced to leave the server on the LAN, in turn compromising LAN security because I will have to allow traffic from DMZ>>LAN..

Is there any other way to acheive this in your opinion?

G
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 500 total points
Comment Utility
Yes, there is a compromise is security in doing this.  I think the best you can do is to have a very tight security policy on your firewall, lock down the host, keep it patched and monitor.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now