Re: Network Design

[Tomas Wolf <tomas () skip cz>]

Hello,
I believe that scheme of "PUBLIC-----FW----DMZ-----FW----LOCAL" is nice 
if it is well configured (as everything). Desing itself needs to be 
considered from many points of view. To design a network that serves 
well its purpouse, one needs a lot of information. Like what is the 
purpose of the network (or goal), what kind of application will be 
running on the network - i.e. what type of traffic. Do you have a 
baseline? How to design core layer, distribution layer.... Point at 
network core and mission critical machines... One should consider to 
make the network reliable, scalable, simple, not too expensive, secure, 
and fast enough for everyone... Whichever of the points can be prefered 
more or less by the goal -- i.e. keep it as cheap as posible might 
result (but also might not) lower reliability, security (at least).
Well, where I'm going with all this :-), sometimes buying two FW might 
be overkill... I like appliences, but I don't rulle out Linux machines 
as simple FW and also software FW. I would go with NetScreen (my 
favorite), or CheckPoint, or maybe SonicWall (but I've heard that 
SonicWall's costumer services are not very reliable).
But if the Internet is only a communication medim and not the point of 
business, also in consideration of the data sensitivity, I wouldn't 
spend money on two stateful FW with NIDS, VPN, and other nifty tools + 
two routers -- one external to ISP and one internal from -- ending DMZ. 
Unless it is planned to use FW as routers, but some FW don't have router 
capabilities (keeping tables, update protocols, etc.) and if they do, I 
wouldn't use them as one... I would build somethng like this:   
INTERNET-----ROUTER-----FW-----DMZ ------ ROUTER -----LAN
Where both routers would have some sort of access list for services in 
DMZ (i.e. IP:any:any TCP only to IP:server:21 allow), while firewall 
would look after the running services, session hijacking, some types of 
DoS, etc. And the router inside would be set to reject any request for 
connection to the local interface...
And or if money is a bigger issue then it might be:
INTERNET-----ROUTER/FIREWALL(interface1)----LAN
                         ROUTER/FIREWALL(interface2)----DMZ

(sorry if it looks goofy) -- the main idea is to save, so the DMZ and 
LAN is separated only by interface on the machine which routes and is 
setup as a firewall... Problem with this schema is a single point of 
failure (router/firewall). I remember nice software router "Kerio 
WinRoute Pro" (http://www.kerio.com/), it is for windows, but the system 
inherits flaws of the OS it runs on.

I hope that helped somehow -- good luck with the first one...
Tomas

Jeff McClintock wrote:

> Hello,
>
> I've been tasked with creating my first ever network.  Definitely 
> exciting, but lots of stuff to know :)  Given that, I wanted to run this 
> by you guys and get some opinions.  I work for a small firm of 20-25 
> employees that use Windows 2000 and XP exclusively.  They are planning to 
> scale to a maximum of 50 people within a year.  They have a full T1, and 
> want to have an FTP server, VPN and OWA access.  Web hosting is done by 
> their ISP.
>
> Does this seem like a pretty secure set up for them:
>
> Internet -> Firewall -> (DMZ) FTP/OWA server (DMZ) -> DMZ Firewall -> 
> Corporate LAN (with Exchange, employee machines, etc...)
>
> If so, any rec's on firewalls for something like this?  Since it's a 
> small firm, price is always an issue.
>
> thanks
> jm
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
>
>
>
>  



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------