• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 255
  • Last Modified:

Firewall - Proper setup for servers with public AND private IPs

I have several servers that do filesharing / webserving on my private network AND do webserving on the internet with public IPs.  I can think of several ways to do this, but I want to know the proper / best way as far as security.  This is a from-scratch retool of my network so pretty much anything goes as long as it uses my current hardware.

Hardware is a Cisco 2600 router running VLANs to an HP switch.  One VLAN is the private network doing NAT and one is my public subnet.

I would like to be able to access the webservers from inside and out using the same DNS names.

Ideas:

1) Put two network cards in the servers so they can have IPs on BOTH networks.  The ACLs of my firewall could control security pretty easy.

2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.

3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.

I'm interested in the quick pros and cons of each setup.  

0
ctarbet
Asked:
ctarbet
  • 2
  • 2
1 Solution
 
kdearingCommented:
Depending on what specific hardware and IOS you're running...

The best solution is to put the webservers in a DMZ with the following ACLs:
Inside -> Outside             Normal internet access
Inside -> DMZ                  Unrestricted access
Outside -> Inside             No access
Outside -> DMZ               Web access only
DMZ -> Outside               Normal internet access
DMZ -> Inside                  No access

The IP addresses you use in the DMZ should be non-routeable (private i.e. 192.168.1.0). Use static NAT to map servers to public IP (with appropriate ACLs).

If your IOS doesn't have the firewall feature set, just create a separate VLAN for the DMZ and implement the ACLs described above.
0
 
ctarbetAuthor Commented:
Is it really necessary to set up the DMZ with a private network?  Isn't it just as good to let the servers run public IPs and lock down the incoming access to web traffic only?  I guess I don't see the difference between doing the static NAT and not doing it seems how the ACL is going to be the same in either case.

Thanks, though.  That is exactly what I wanted.
0
 
kdearingCommented:
You can use public IPs, nothing wrong with that.
I'm just a little more security-concious than most.
Less chance of exposing your servers if your ACLs are mis-configured.
Using non-routeable IPs is best practice.
0
 
ctarbetAuthor Commented:
Thanks.  It's hard to tell sometimes where the line between good practice and paranoid delusion lies.  Not to imply you are paranoid or anything... :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now