Aaron,
I previously worked at a web development company and this is what I
set up.
router ------------- fw --------------- internal network
|
|
DMZ
webserver
checkpoint firewall dropped all incoming traffic except that bound
for the web server in the DMZ. This server had an internal and external
address but was on a different subnet. The developers if required were able
to map a drive to this server using the internal address.
Personally, unless there is a reason for external access to this
server, I would be putting a development server on the internal network so
that they can access it using explorer or IE.
The idea of a DMZ is to put things that need to be accessed but not
to sacrifice them to the world so I would be putting the DMZ off the
firewall so that you only allow particular protocols through such as HTTP.
The mail server I would put internally but that is a personal thing.
Bastion host: Install an application level firewall and you should
be right.
With the domains, I see nothing wrong with putting them all on one
domain then set up access groups.
I would be putting the WINS internally and the DNS internally.
John Taylor
From: Aaron <[EMAIL PROTECTED]> on 08/03/2000 12:49 AM
To: [EMAIL PROTECTED]@SMTP@Aus Exchange
cc:
Subject: DMZ, NT Browsing, Multi-homed hosting
Hello All,
I've looked through the archives and found some answers to some of
my
questions, however I still have some questions. First off, we are a
web
hosting/development company with 8 servers that do most of our
hosting and
mail etc. I just started working here as a Network Admin and
realized that the
network is pretty wide open. (They're using NetBEUI still!!!)
Currently we
have no firewall set-up and all workstations and servers are
"visible" with
global IP addresses. All the servers are running WinNT 4, with one
NT Domain
for Workstations and Servers. We have a router setup but currently
there is
no filtering on it. We have two subnets: one full Class C, and one
subnetted
Class C.
The web developers have kept it like this so that they can "browse"
in windows
to the web server and change sites while they're live. (This is why
they need
NetBEUI, as it broadcasts and the computers show up in Network
Neigbourhood
even if they have different IP net addresses) I will be setting up
a WINS
server to take care of that problem, and then remove NetBEUI as a
protocol
from the network.
Obviously this setup can't continue. After browsing this group for
a while
and reading the archives I've made an initial plan and had some
questions:
Proposed network layout:
- Setup IP filtering on Router to Internet
- Behind the router will then be the DMZ (is this correct? Should I
setup a
firewall behind the router and then the DMZ?)
- In the DMZ I will have my Web Servers, Mail Server, DNS, and FTP.
- Behind the DMZ is the firewall ( I haven't decided which one to
use
yet...probably FW-1 NT)
- This firewall will use NAT to make internal network "invisible"
and use
192.168.x.y addresses for internal workstations.
Now for the Questions:
1) How can I set this up so my Developers can still browse with
Windows
Explorer to a mapped drive on a server in the DMZ?
2) Should the WINS server be on the internal network? Will WINS
help me in
this situation?
3) My web servers are multi-homed with up to 100 IPs on a single
system, will
this cause any problems for me?
4) What software would I use as a Bastion Host, I see the term all
the time,
but are there any commercial (or Free) software/OS packages that
are used
for this purpose?
5) What kind of IP filtering rules should be on my router?
6) Should I setup a different NT Domain for the servers and one for
the
internal workstations? Then Setup a one-way trust relationship?
7) Should I be using NAT on the firewall with private IPs inside, or
will this
not allow me to communicate with the NT servers in the DMZ.
8) Is there anything else I should be concerned about or address
when setting
up my security system? (aside from the obvious ones)
Thanks for your help!
Aaron Rothschild
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
