Security Basics mailing list archives
RE: Network Design
From: "Smith, Chris" <csmith () Calence com>
Date: Tue, 26 Aug 2003 09:03:50 -0700
Your on the right track with the network configuration - what will make the environment secure are the policies in place in the environment, security of the hosts on the dmz and internal network, etc. - Regardless of the firewall selected, ensuring the firewall policies are secure (managing ingress and egress traffic flows between all segments), disabling unneeded services on the hosts and limiting access to only required services through the firewall are critical activities. - In addition to filtering on the firewall, ensure filtering (and logging) is enabled on the border router - Treat the DMZ as insecure - control access to the dmz hosts and from them. If compromised, do not allow the hosts to be utilized for attacking others (or yourself) - Log all activities from the border router, firewall, and hosts (if possible) and review the logs! Enable syslog and send to an internal host, spend the time tuning a log monitoring tool to catch major anomalies - Consider redundancy - it may be a small company now, but an outage on any one device resulting in a loss of service may result in additional budget materializing. At a minimum, consider the effect of redundant devices now to avoid the pain of re-architecting later (physical switch ports, logical ip addresses, etc). Regarding firewalls, take your pick - you can (and on this list likely will) get as many opinions as responses. Open source can work great, but without experience the learning curve for open source (o/s, fw software, etc.) may not be feasible. If commercial is selected, the options are endless. Cisco/Checkpoint work great for large accounts, and they have strong security features for small/medium companies (although may be more pricey than other selections). Symantec has a good selection for small/med. business, and integrate additional features such as content filtering. Regardless, an appliance based firewall would be a strong suggestion to eliminate complexity in managing the hardware, operating system, and firewall application separately. In addition to price, consider your experience with new products and the learning curve associated with them. Good security with a solid management interface will make your job (and security posture) much stronger than a great security applicance with so much complexity in the configuration and management that the features are never used or maintained. C. Smith -----Original Message----- From: Jeff McClintock [mailto:lord_fiery () yahoo com] Sent: Monday, August 25, 2003 12:51 AM To: security-basics () securityfocus com Subject: Network Design Hello, I've been tasked with creating my first ever network. Definitely exciting, but lots of stuff to know :) Given that, I wanted to run this by you guys and get some opinions. I work for a small firm of 20-25 employees that use Windows 2000 and XP exclusively. They are planning to scale to a maximum of 50 people within a year. They have a full T1, and want to have an FTP server, VPN and OWA access. Web hosting is done by their ISP. Does this seem like a pretty secure set up for them: Internet -> Firewall -> (DMZ) FTP/OWA server (DMZ) -> DMZ Firewall -> Corporate LAN (with Exchange, employee machines, etc...) If so, any rec's on firewalls for something like this? Since it's a small firm, price is always an issue. thanks jm --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Network Design Jeff McClintock (Aug 26)
- RE: Network Design David Gillett (Aug 26)
- RE: Network Design Justin F. Knox (Aug 27)
- Re: Network Design Tomas Wolf (Aug 27)
- Re: Network Design pablo gietz (Aug 27)
- <Possible follow-ups>
- RE: Network Design DeGennaro, Gregory (Aug 26)
- Re: Network Design Lee Rich (Aug 26)
- RE: Network Design Halverson, Chris (Aug 26)
- RE: Network Design Smith, Chris (Aug 26)
- Re: Network Design salgak (Aug 26)
- RE: Network Design DeGennaro, Gregory (Aug 26)
- RE: Network Design Cherian M. Palayoor (Aug 26)
- Re: Network Design Chris Berry (Aug 27)