Re: risk attaching dsl modems to office network?

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2010-07-12 Andy Colson wrote:
> We host a few websites, but where we are located we cannot get really
> big pipe's without spending lots of $$$.  So we have three dsl lines
> with an "enterprise" plan that lets us host from them.  Each has a
> different outside IP address, and the inside ip is 192.168.0.1.
>
> Our current setup has the dsl modem plugged into the web server, and
> the  web server has two nics.  One on 192.168.0. (the dsl) and on
> 192.168.10.  (the office).  The 10. line is, obviously, plugged into
> the office switches.
>
> So it looks like:
>
> internet
> |
> |
> V
> dsl modem
> |
> |
> V
> web server ---> switches -->> office

In this setup your web server is an exposed host. In
which case the web server should be hardened and monitored rather
closely, unless you mean to ask for trouble.

> This all works ok, but to add a reverse proxy, and some monitoring,
> I'd  like to plug the dsl modems into the switches.  I can give each
> dsl modem a different internal ip (192.168.0.1, 192.168.0.2 and
> 192.168.0.3) and dmz them to a new computer at 192.168.0.42.
>
> New layout:
> internet
> |
> |
> V
> dsl modem
> |
> |
> V
> switches -->> office (.10.)
> |
> |
> V
> proxy/load balancer (.0.) --->web1
> |
> |
> V
> web2
>
> My worry here, and my question for you, is: am I opening myself to
> "bad  things" if I plug my dsl modems into my office switches?

You already did open yourself for bad things when you placed a publicly
accessible host in the same physical network as your LAN hosts.

What you really want is a setup like this:

  Internet
     |
  DSL Modem
     |
   Router -- Office LAN (192.168.10.0/24)
     | 
Load Balancer     \
  |      |        |- DMZ (192.168.0.0/24)
 web1   web2      /

> Will a resourceful hacker be able to see my 10.* traffic?

Anyone who is able to compromise your web server will gain immediate
access to your internal network.

> The dsl modems have both NAT and DMZ, I'm thinking of using DMZ and
> putting iptables on the proxy box.  Would you think that would be
> safer than using NAT?

Yes. NAT is not a security technology, and never will be, because it was
not intended to be one in the first place.

> (The dsl modem has firewall and NAT (well its port  forwarding, I'm
> not sure it thats NAT)).  DMZ or NAT will only go to one  IP, 0.42.

Hm... according to this you don't have a DSL modem, but a DSL router, so
you can probably go with a setup like this:

  Internet
     |
 DSL Router -- Office LAN (192.168.10.0/24)
     | 
Load Balancer     \
  |      |        |- DMZ (192.168.0.0/24)
 web1   web2      /


Make sure that

- the DSL router does have firewall capabilities,
- the firewall is enabled and properly configured,
- the firewall logs are monitored,
- the router firmware is kept up to date.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------