RE: Network Design

["Smith, Chris" <csmith () Calence com>]

Your on the right track with the network configuration - what will make the environment secure are the policies in 
place in the environment, security of the hosts on the dmz and internal network, etc.  

- Regardless of the firewall selected, ensuring the firewall policies are secure (managing ingress and egress traffic 
flows between all segments), disabling unneeded services on the hosts and limiting access to only required services 
through the firewall are critical activities.
- In addition to filtering on the firewall, ensure filtering (and logging) is enabled on the border router
- Treat the DMZ as insecure - control access to the dmz hosts and from them.  If compromised, do not allow the hosts to 
be utilized for attacking others (or yourself)
- Log all activities from the border router, firewall, and hosts (if possible) and review the logs!  Enable syslog and 
send to an internal host, spend the time tuning a log monitoring tool to catch major anomalies
- Consider redundancy - it may be a small company now, but an outage on any one device resulting in a loss of service 
may result in additional budget materializing.  At a minimum, consider the effect of redundant devices now to avoid the 
pain of re-architecting later (physical switch ports, logical ip addresses, etc).

Regarding firewalls, take your pick - you can (and on this list likely will) get as many opinions as responses.  Open 
source can work great, but without experience the learning curve for open source (o/s, fw software, etc.) may not be 
feasible.  If commercial is selected, the options are endless.  Cisco/Checkpoint work great for large accounts, and 
they have strong security features for small/medium companies (although may be more pricey than other selections).  
Symantec has a good selection for small/med. business, and integrate additional features such as content filtering.  
Regardless, an appliance based firewall would be a strong suggestion to eliminate complexity in managing the hardware, 
operating system, and firewall application separately.

In addition to price, consider your experience with new products and the learning curve associated with them.  Good 
security with a solid management interface will make your job (and security posture) much stronger than a great 
security applicance with so much complexity in the configuration and management that the features are never used or 
maintained.

C. Smith

-----Original Message-----
From: Jeff McClintock [mailto:lord_fiery () yahoo com]
Sent: Monday, August 25, 2003 12:51 AM
To: security-basics () securityfocus com
Subject: Network Design




Hello,



I've been tasked with creating my first ever network.  Definitely 

exciting, but lots of stuff to know :)  Given that, I wanted to run this 

by you guys and get some opinions.  I work for a small firm of 20-25 

employees that use Windows 2000 and XP exclusively.  They are planning to 

scale to a maximum of 50 people within a year.  They have a full T1, and 

want to have an FTP server, VPN and OWA access.  Web hosting is done by 

their ISP.



Does this seem like a pretty secure set up for them:



Internet -> Firewall -> (DMZ) FTP/OWA server (DMZ) -> DMZ Firewall -> 

Corporate LAN (with Exchange, employee machines, etc...)



If so, any rec's on firewalls for something like this?  Since it's a 

small firm, price is always an issue.



thanks

jm

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------