itcasgrain
asked on
DMZ? with LAN? CiscoPIX515E
Hi Guys,
Ok here is the deal....I am working with a new company and when i got here "disaster!" first of all when you click on network neighborhood and you get to your domain, it gives a message "The network path is invalid!!!!!!" so right away something is wrong.
The setup here is a Cisco PIX515E with a DMZ let me lay it out.
-Active Directory is running in mixed-mode.
-There are 2 domain controllers
-1 domain controller named "accpac" Windows 2000 Server is in the "inside" network 192.9.200.3
-The other domain controller named "XMAIL" Windows Server 2003 is in the DMZ running Exchange 192.168.123.200
-A Web server is running in the DMZ Windows98 192.168.123.20
-All workstations are in the "inside" lan not yet joined to the domain
I joined my workstation to the domain and that worked however still unable to browse the network. DNS does not replicate "not even sure if its configured right"
The network here is complete mess and i don't want to start playing with it as the company cannot afford downtime, so i am just gluing with spit for now. Please don't laugh at me as i am not the one who did this...I just need to figure a way out. PLS HELP!!!!
Ok here is the deal....I am working with a new company and when i got here "disaster!" first of all when you click on network neighborhood and you get to your domain, it gives a message "The network path is invalid!!!!!!" so right away something is wrong.
The setup here is a Cisco PIX515E with a DMZ let me lay it out.
-Active Directory is running in mixed-mode.
-There are 2 domain controllers
-1 domain controller named "accpac" Windows 2000 Server is in the "inside" network 192.9.200.3
-The other domain controller named "XMAIL" Windows Server 2003 is in the DMZ running Exchange 192.168.123.200
-A Web server is running in the DMZ Windows98 192.168.123.20
-All workstations are in the "inside" lan not yet joined to the domain
I joined my workstation to the domain and that worked however still unable to browse the network. DNS does not replicate "not even sure if its configured right"
The network here is complete mess and i don't want to start playing with it as the company cannot afford downtime, so i am just gluing with spit for now. Please don't laugh at me as i am not the one who did this...I just need to figure a way out. PLS HELP!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not again simon :) I need to buy a new keyboard, mine is just too slow
I got me a nice new Microsoft Natural Keybaord 4000, back up to my old 50 wpm speed. ;-)
Simon.
Simon.
ASKER
Thank You very much!!! You confirmed to me what I have been telling my superiors what has to be done....and now by reading this, it will be a done deal! Last week my superiors had scheduled a security expert to come in, take a look at our topology and suggest solution which also included removing the PIX and adding a new device.
We are planning the hardware changes first, then to the software deployment. Also, the network includes a Sun Server Running Solaris and a proprietary software....The File server "for now" is on the sun machine running NFS which we use Hummingbird connectivity software to access the NFS share.
I will post the suggestions from the consultant here and see if you geniuses agree...
Thanks again for all your help...You guys are the best!
Anthony
We are planning the hardware changes first, then to the software deployment. Also, the network includes a Sun Server Running Solaris and a proprietary software....The File server "for now" is on the sun machine running NFS which we use Hummingbird connectivity software to access the NFS share.
I will post the suggestions from the consultant here and see if you geniuses agree...
Thanks again for all your help...You guys are the best!
Anthony
The "security consultant" will probably suggest the DMZ is left alone - they always do. Yet when challenged on why it is better for the security they go oddly quiet. The biggest killer is to tell them that putting a domain member in the DMZ requires port 135 to be open. If they think that is a good or even acceptable idea, I would show them the door.
Simon.
Simon.
ASKER
Thanks Simbee my feelings exactly.... this is a topology that we want....we are going to have a T1 with a Cable modem running together as a shared bandwith also for redundancy should one go down the other still works.
Connect to a router which will supply DHCP to my clients, firewall/NAT, VPN connectivity. Have only one segment with port 80 forwarded to the web server, port 25 to the exchange box and thats it! nothing else. There will be only one domain controller and dns installed on the AD machine. We don't need Remote Desktop or OWA. Also ill be moving the data from the sun machine to a Windows Server 2003 server so the NFS connectivity will be killed.
Anthony
Connect to a router which will supply DHCP to my clients, firewall/NAT, VPN connectivity. Have only one segment with port 80 forwarded to the web server, port 25 to the exchange box and thats it! nothing else. There will be only one domain controller and dns installed on the AD machine. We don't need Remote Desktop or OWA. Also ill be moving the data from the sun machine to a Windows Server 2003 server so the NFS connectivity will be killed.
Anthony
The router shouldn't be doing DHCP. A Windows 2003 AD DC should be doing DHCP so that the correct information can be handed out and DNS populated correctly.
Simon.
Simon.
ASKER
Perfect...but taking out all this dmz stuff and just having one segment with the 2 ports 80 and 25 pointing to the one machine... The AD controller also has Exchange, DNS and will serve DHCP, a member server will house ACCPAC and the 2nd member server is running BES and WSUS.
Are there any security risks that i should be worried about in this topology?
Anthony
Are there any security risks that i should be worried about in this topology?
Anthony
Port 80 is a risk I don't accept. I do not have that port open on any of my networks - https 443 ONLY, with a purchased SSL certificate.
Simon.
Simon.
G'day mate
Here is a good starting point for hardening IIS. Well worth a read to allow you to sleep easier
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
And although exchange is pretty good out the box this link has plenty of tips on hardening your deployment
http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx
Rob
Here is a good starting point for hardening IIS. Well worth a read to allow you to sleep easier
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
And although exchange is pretty good out the box this link has plenty of tips on hardening your deployment
http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx
Rob
I would schedule a short period of downtime to move it inside, give it a new IP address and then reconfigure the PIX. Some of the domain problems probably come from the fact that the domain controller and the clients are separated by the firewall.
A web server in the DMZ running Windows 98?
If that machine hasn't been hacked already it will not be long. I wouldn't bring that inside the firewall. I would be looking to lift the data off and then put that machine in the nearest skip.
Simon.