• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

Firewall - Proper setup for servers with public AND private IPs

I have several servers that do filesharing / webserving on my private network AND do webserving on the internet with public IPs.  I can think of several ways to do this, but I want to know the proper / best way as far as security.  This is a from-scratch retool of my network so pretty much anything goes as long as it uses my current hardware.

Hardware is a Cisco 2600 router running VLANs to an HP switch.  One VLAN is the private network doing NAT and one is my public subnet.

I would like to be able to access the webservers from inside and out using the same DNS names.

Ideas:

1) Put two network cards in the servers so they can have IPs on BOTH networks.  The ACLs of my firewall could control security pretty easy.

2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.

3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.

I'm interested in the quick pros and cons of each setup.  

0
ctarbet
Asked:
ctarbet
  • 2
  • 2
1 Solution
 
kdearingCommented:
Depending on what specific hardware and IOS you're running...

The best solution is to put the webservers in a DMZ with the following ACLs:
Inside -> Outside             Normal internet access
Inside -> DMZ                  Unrestricted access
Outside -> Inside             No access
Outside -> DMZ               Web access only
DMZ -> Outside               Normal internet access
DMZ -> Inside                  No access

The IP addresses you use in the DMZ should be non-routeable (private i.e. 192.168.1.0). Use static NAT to map servers to public IP (with appropriate ACLs).

If your IOS doesn't have the firewall feature set, just create a separate VLAN for the DMZ and implement the ACLs described above.
0
 
ctarbetAuthor Commented:
Is it really necessary to set up the DMZ with a private network?  Isn't it just as good to let the servers run public IPs and lock down the incoming access to web traffic only?  I guess I don't see the difference between doing the static NAT and not doing it seems how the ACL is going to be the same in either case.

Thanks, though.  That is exactly what I wanted.
0
 
kdearingCommented:
You can use public IPs, nothing wrong with that.
I'm just a little more security-concious than most.
Less chance of exposing your servers if your ACLs are mis-configured.
Using non-routeable IPs is best practice.
0
 
ctarbetAuthor Commented:
Thanks.  It's hard to tell sometimes where the line between good practice and paranoid delusion lies.  Not to imply you are paranoid or anything... :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now