RE: Network redesign

["Tony Reusser" <treusser () filertel com>]

In general, any resource that needs to be accessed from the Internet should
be on your DMZ.  If you have a database that the public needs to see, then
set up a secure replication process from your SQL server on your
inside/secure network, through the firewall to a duplicate database on the
public server on the DMZ.  If you have an internal box where needs change,
then PHYSICALLY MOVE it to your DMZ segment.  You need to tell your boss
this is what you are doing, no ifs, ands or buts.  You should have the
"say-so" as far as network security is concerned.  Under no circumstances
should any outside resource be allowed to initiate unsolicited connections
into your secure area.  Only allow incoming traffic via VPN and only when
you know EXACTLY who it is and what they are doing.

This is just a very general overview of "best practices."  Your network is
unique and you will have to deal with legacy issues like all of us in the
real world do.

www.sans.org is a good security oriented website.  The emphasis is on
security training, but they have good articles and references on industry
standards and best practices.

I hope this helps.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Alex
Sent: Friday, August 17, 2007 10:51 AM
To: security-basics () securityfocus com
Subject: Network redesign

Hello list,

The company I work is going for a major network redesign. We're moving
from a single, large and hard to manage network (don't ask why it came
to that...) to multiple vlans. The network consists of about 2000 PC's
and 30 servers (including apache's, exchange, my- and ms-sql, terminal
services and so on). Since this is gonna be a lot of work to be done
(and not gonna be done a second time) we're spending a lot of time in
designing.

Now to the point. 
* There is the rule of thumb saying "Don't let connections go out of the
DMZ", but what about the SQL server that needs to be accessed from a web
server in a DMZ? Do we put it the same DMZ, in another one or maybe in a
vlan in the main network. 
* What happens when the boss comes in and says "We need this private web
or terminal server in this vlan to be accessed from the outside"
* Where is the best place to put our internal network and/or host IDS,
security scanner and the likes (nothing like that exists right now :/ )

In a few words how do we design our vlans and DMZ for increasing
security but maintaining some flexibility too. What would your Ideal
network be like, concerning these issues?

Any tips, sources and reading material in general are most welcomed.
Thanx, in advance.


Cheers, Alex.