Re: Access Internal and External Networks

[JGrimshaw () ASAP com]

For a less headachy set up, I would suggest number 2.  Multihoming for the 
purposes you describe really is not a good idea, and could lead to 
additional problems.

Where I am at now, it was done that way (and is in the process of being 
changed) and the DNS entry has the external nic, which then is filtered 
through the firewall, so anyone that tries to ping or manage something by 
name automatically goes to DNS and it fails, because the firewall is doing 
its job.

Even though the other IP address is in WINS, nothing uses WINS by default 
(yes, it's an NT shop, but everyone keep in mind I am a Router/WAN guy 
wearing a variety of hats).

I've found it to work best when one NIC is used (unless teaming or fault 
tolerance is involved, which is a different discussion) and using NAT to 
translate to a static external address for you, perhaps hosted on a device 
such as a BIG IP for load balancing the requests.  When attackers try to 
penetrate, they then have to go through the router, the firewall, and the 
big IP (or some other balancer or other devices you may have in line) 
before finally getting onto your network.

Granted, the Big IP doesn't provide much in the way of protection, but it 
does allow for the assignment of virtual IP addresses to the server that 
could be assigned via a static nat translation on a firewall, which could 
then be permitted through the firewall, via ports such as 80 and 443 if 
that's what those servers are hosting.

This is assuming, of course, your external connection is for the purposes 
of hosting something.  If you are just going to connect to the internet 
for other reasons, I would still suggest using the NAT scenario. 

If anyone can offer a better idea, I am all ears, as I am trying to reduce 
the multi-homing in my environment as much as I can. 






<william () orlitech com au> 
09/18/2003 05:42 PM

To
security-basics () securityfocus com
cc

Subject
Access Internal and External Networks








I have a need for some servers to access both the external network and the 
internal network and am wondering which approach would be best:



1. 2 NIC's in each server one connected to the external network and one 
connected to the internal network



2. 1 NIC in each server connected to the internal network and DNAT the 
required ports from the external address to the internal address



Thanks



William

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------