Security Basics mailing list archives
RE: Network redesign
From: "Tony Reusser" <treusser () filertel com>
Date: Fri, 17 Aug 2007 14:12:05 -0600
In general, any resource that needs to be accessed from the Internet should be on your DMZ. If you have a database that the public needs to see, then set up a secure replication process from your SQL server on your inside/secure network, through the firewall to a duplicate database on the public server on the DMZ. If you have an internal box where needs change, then PHYSICALLY MOVE it to your DMZ segment. You need to tell your boss this is what you are doing, no ifs, ands or buts. You should have the "say-so" as far as network security is concerned. Under no circumstances should any outside resource be allowed to initiate unsolicited connections into your secure area. Only allow incoming traffic via VPN and only when you know EXACTLY who it is and what they are doing. This is just a very general overview of "best practices." Your network is unique and you will have to deal with legacy issues like all of us in the real world do. www.sans.org is a good security oriented website. The emphasis is on security training, but they have good articles and references on industry standards and best practices. I hope this helps. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alex Sent: Friday, August 17, 2007 10:51 AM To: security-basics () securityfocus com Subject: Network redesign Hello list, The company I work is going for a major network redesign. We're moving from a single, large and hard to manage network (don't ask why it came to that...) to multiple vlans. The network consists of about 2000 PC's and 30 servers (including apache's, exchange, my- and ms-sql, terminal services and so on). Since this is gonna be a lot of work to be done (and not gonna be done a second time) we're spending a lot of time in designing. Now to the point. * There is the rule of thumb saying "Don't let connections go out of the DMZ", but what about the SQL server that needs to be accessed from a web server in a DMZ? Do we put it the same DMZ, in another one or maybe in a vlan in the main network. * What happens when the boss comes in and says "We need this private web or terminal server in this vlan to be accessed from the outside" * Where is the best place to put our internal network and/or host IDS, security scanner and the likes (nothing like that exists right now :/ ) In a few words how do we design our vlans and DMZ for increasing security but maintaining some flexibility too. What would your Ideal network be like, concerning these issues? Any tips, sources and reading material in general are most welcomed. Thanx, in advance. Cheers, Alex.
Current thread:
- Network redesign Alex (Aug 17)
- RE: Network redesign Tony Reusser (Aug 17)
- <Possible follow-ups>
- Re: Network redesign krymson (Aug 17)