Solved

how to create a secure network structure?

Posted on 2007-11-30
7
1,020 Views
Last Modified: 2008-02-01
I am developing a small to medium size e-commerce web site for which I need to create a network structure. I don't have much experience creating network structure even though I know fairly enough about configuring routers and firewalls.

How should I create the network structure? I was thinking of having my web server behind a firewall with port 80 open. Then, route any database request to a second firewall/router on the network through the port on which the database would be working. This way, the business tier server would be at a higher level in the network than the data tier server. Would this be a reasonable network configuration approach to implement and protect the data?

I will be using microsoft product such as small business web server, sql server express and visual studio.

Please, I would appreciate any inputs and thoughts. Thanks.

Open in new window

0
Comment
Question by:vielkacarolina1239
  • 3
  • 2
  • 2
7 Comments
 
LVL 27

Assisted Solution

by:pseudocyber
pseudocyber earned 150 total points
Comment Utility
Although you can use two firewalls, IMHO you're adding needless complexity.

You can have a screening router which can drop the obvious stuff - spoofed traffic and what not.  Then hang a DMZ off one firewall port and your internal network off another.  So, you can allow 80 into the DMZ from anywhere, and you could allow db traffic from the server to your internal net.  You could allow managment from internal to the web server, and allow 80, 443, and a few other ports from inside to the Internet.

So it physically, it would loook like this:

Internet ---- router ---- firewall ----- inside nets
                                          |
                                       dmz

Rules:
Allow Any port 80 to web server
Allow db traffic from web server to inside db server
Allow ssh from inside to web server (or whatever you want to use to manage)
Allow 80, etc from inside to any
deny any to any & log

This should basically do it.
0
 
LVL 8

Accepted Solution

by:
charan_jeetsingh earned 350 total points
Comment Utility
If you have security in mind(that is what market is asking for)... definitely you should go for a multi-tier architechture

it can look something like this :

Internet -------- firewall-----Internal
                            |
       Proxies for load sharing and additional security
                            |
                      Web + App tier
                           |
                       Firewall
                           |
                       DB Server
                         SAN

proxy can be ommited but based on my experience i have observed that they are really helpful in doing good resource utilisation and providing an additional security layer to your web tier.
0
 

Author Comment

by:vielkacarolina1239
Comment Utility
HI,

pseudocyber

I read a paper in which it explains the pit falls of the design you have suggested. The paper explains that if the web server computer is used as a robot, it can be used to attack the others computers on the same tier if it is compromised. Do you have any other suggestions? Please let me, know I will gladly appreciate your comments.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:vielkacarolina1239
Comment Utility
HI

Thanks, this is similar to what I had in mind. Would you suggest using the same type of firewall for the different tiers? Would it matter if they are different? Do you think this would improve security since they are different?

I am thinking about getting a NETGEAR ProSafe VPN Firewall FVX538 for this project. Do you think this would do the trick? The URL fo this item is: http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVX538.aspx?detail=Specifications

It seems as a decent firewall and it goes for $350

Do you have any suggestions? Please, let me know. I will gladly appreciate it.
0
 

Author Comment

by:vielkacarolina1239
Comment Utility
These are the specs for the above firewall

Physical Interfaces

LAN ports: Eight (8) 10/100 Mbps auto-sensing, Auto-Uplink" RJ-45 ports; one (1) Gigabit 10/100/1000 Mbps
LAN port; one LAN port can be dedicated hardware DMZ port
WAN port: Two 10/100Mbps Ethernet RJ-45 ports with auto fail-over and load balancing
Serial Port: One console port for command line interface (CLI) support
Security Features

SPI Firewall: Stateful Packet Inspection (SPI) to prevent notorious Denial of Service (DoS) attacks, Intrusion Detection System (IDS) including logging, reporting and e-mail alerts, address, service and protocol, Web URL keyword filtering, prevent replay attack (reassembly attack), port/service blocking. Advanced features include block Java/URL/ ActiveX based on extension, FTP/SMTP/RPC program filtering
VPN Functionality: Two hundred (200) dedicated VPN tunnels, Manual key and Internet Key Exchange Security Association (IKE SA) assignment with pre-shared key and RSA/DSA signatures, key life and IKE lifetime time settings, perfect forward secrecy (Diffie- Hellman groups 1 and 2 and Oakley support), operating modes (Main, Aggressive, Quick), fully qualified domain name (FQDN) support for dynamic IP address VPN connections.
IPSec Support: IPSec-based 56-bit (DES), 168-bit (3DES), or 256-bit (AES) encryption algorithm, MD5 or SHA-1 hashing algorithm, AH/AH-ESP support, PKI features with X.509 v.3 certificate support, remote access VPN (client-to-site), site-to-site VPN, IPSec NAT traversal (VPN pass-through)
Mode of Operation: One-to-one/ many-to-one Multi-Network Address Translation (NAT), classical routing, unrestricted users per port
IP Address Assignment: Static IP address assignment, internal DHCP server on LAN, DHCP client on WAN, PPPoE client support
Performance Features

Throughput: Up to 91 Mbps WAN to LAN and 60Mbps 3DES throughput
Management Features

Administration Interface: SNMP (v.2c) support, Telnet, web graphic user interface, Secure Sockets Layer (SSL) remote management, user name and password protected; secure remote management support authenticated through IP address or IP address range and password; configuration changes/ upgrades through web GUI.
Configuration and Upgrades: Upload and down load configuration settings, firmware upgradeable flash memory Logging: SYSLOG, e-mail alerts
Functions

VPN Wizard to simplify configuration of the VPN, Smart Wizard to automatically detect ISP Address type (static, dynamic, PPPoE), Port Range Forwarding, Port Triggering, Exposed Host (DMZ), Hardware DMZ, Enable/Disable WAN Ping, DNS Proxy, MAC Address cloning/ spoofing, Network Time Protocol NTP support, Keyword Content Filtering, email Alerts, DHCP Server (Info and display table), PPPoE login client support, WAN DHCP Client, Diagnostic tools (ping, trace route, other), Port/ service, Auto-Uplink on switch ports and Quality of Service (QoS).
Protocol Support

Network: IP routing, TCP/IP, UDP, ICMP, PPPoE
IP Addressing: DHCP (client and server)
Routing: RIP v1, RIPv2 (Static Routing, Dynamic Routing)
VPN/Security: IPSec (ESP, AH), MD5, SHA-1, DES, 3DES, IKE, PKI, AES
User Support

LAN: Up to 253 users
Maintenance

Save/Restore Configuration, Restore Defaults, Upgrades via Web Browser, Display Statistics, Logging, SYSLOG support
Hardware Specifications

Processor: 533 MHz Intel XScale IXP425
Memory: 32MB Flash, 64MB DRAM
Encryption Accelerator: Cavium Processor with 60+ Mbps (3DES+SHA-1) encryption
Power requirements: 100-240 VAC, 50-60Hz, 15W MAX
Dimensions: 33 x 20.3 x 4.4 cm. (13 x 8 x 1.75 in.)
Weight: 4.42 lbs (2.01 kg)
Environmental Specifications

Operating temperature: 0 to 40ºC (32 to 104ºF)
Operating humidity: 90% maximum relative humidity, non-condensing
Warranty

NETGEAR 3 year warranty
Package Contents

FVX538 ProSafe VPN Firewall 200
Ethernet cable
Rack mount kit
Installation guide
Resource CD with five user license of ProSafe VPN Client Software
Warranty/Support information card
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 350 total points
Comment Utility
Would you suggest using the same type of firewall for the different tiers? ( when you say type of firewall i assume you talking of vendors)  Would it matter if they are different? Do you think this would improve security since they are different?

>> It doesnt makes much of a difference if you are using 1 type or 2 types.  It all depends basically on how best you implement them. But looking into the management overheads involved with using 2 firewalls i recommend going with one and that is a common practice as well. Also implementing 2 types of firewall will double the probability of vulnerabilities as the loopholes of both types simply add thus increasing the risk factor.

Regarding your going with netgear.... i wont really go with you. I personally would have choosen amongst Cisco  ASA / juniper netscreen (cisco is my personal flavour). Netscreen would have served the purpose of general internet browsing and managing a few VPNs, but when you are on internet and are expecting hundreds of hits per hour, you expect all malicious traffic also. In such cases you must go with experts.
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
Thanks for the points.

True, that if one of your bastion hosts is compromised it can be used to attack the others in the same DMZ, but this is why they're in a DMZ and why they're bastions - they must be especially locked down to only run what they're supposed to trying to minimize the services running and the ports listening.  Yes, you can add more firewalls - but where will you draw the line?  Are you going to run a firewall for each of your servers? At some point it gets rediculous.

Reverse proxies are OK - but can be especially tricky if you're using SSL traffic or you have many connections coming from one natted address on the other end.

Second the nod towards "real" firewalls - Cisco ASA (Pix is their older firewall), Checkpoint, Netscreen.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now