Security Basics mailing list archives
Re: risk attaching dsl modems to office network?
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Wed, 14 Jul 2010 09:22:42 +0200
On 2010-07-12 Andy Colson wrote:
We host a few websites, but where we are located we cannot get really big pipe's without spending lots of $$$. So we have three dsl lines with an "enterprise" plan that lets us host from them. Each has a different outside IP address, and the inside ip is 192.168.0.1. Our current setup has the dsl modem plugged into the web server, and the web server has two nics. One on 192.168.0. (the dsl) and on 192.168.10. (the office). The 10. line is, obviously, plugged into the office switches. So it looks like: internet | | V dsl modem | | V web server ---> switches -->> office
In this setup your web server is an exposed host. In which case the web server should be hardened and monitored rather closely, unless you mean to ask for trouble.
This all works ok, but to add a reverse proxy, and some monitoring, I'd like to plug the dsl modems into the switches. I can give each dsl modem a different internal ip (192.168.0.1, 192.168.0.2 and 192.168.0.3) and dmz them to a new computer at 192.168.0.42. New layout: internet | | V dsl modem | | V switches -->> office (.10.) | | V proxy/load balancer (.0.) --->web1 | | V web2 My worry here, and my question for you, is: am I opening myself to "bad things" if I plug my dsl modems into my office switches?
You already did open yourself for bad things when you placed a publicly accessible host in the same physical network as your LAN hosts. What you really want is a setup like this: Internet | DSL Modem | Router -- Office LAN (192.168.10.0/24) | Load Balancer \ | | |- DMZ (192.168.0.0/24) web1 web2 /
Will a resourceful hacker be able to see my 10.* traffic?
Anyone who is able to compromise your web server will gain immediate access to your internal network.
The dsl modems have both NAT and DMZ, I'm thinking of using DMZ and putting iptables on the proxy box. Would you think that would be safer than using NAT?
Yes. NAT is not a security technology, and never will be, because it was not intended to be one in the first place.
(The dsl modem has firewall and NAT (well its port forwarding, I'm not sure it thats NAT)). DMZ or NAT will only go to one IP, 0.42.
Hm... according to this you don't have a DSL modem, but a DSL router, so you can probably go with a setup like this: Internet | DSL Router -- Office LAN (192.168.10.0/24) | Load Balancer \ | | |- DMZ (192.168.0.0/24) web1 web2 / Make sure that - the DSL router does have firewall capabilities, - the firewall is enabled and properly configured, - the firewall logs are monitored, - the router firmware is kept up to date. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- risk attaching dsl modems to office network? Andy Colson (Jul 13)
- Re: risk attaching dsl modems to office network? Ansgar Wiechers (Jul 14)
- Re: risk attaching dsl modems to office network? Eric M. (Jul 16)
- Re: risk attaching dsl modems to office network? Andy Colson (Jul 16)