> -----Original Message-----
> From: Aaron [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 3 August 2000 12:20 AM
> To: [EMAIL PROTECTED]
> Subject: DMZ, NT Browsing, Multi-homed hosting
>
>
> Hello All,
>
> I've looked through the archives and found some answers to some of my
> questions, however I still have some questions.
Ha! You mustn't have looked hard enough then! ;) (I'm kidding - at least you
looked)
> First off,
> we are a web
> hosting/development company with 8 servers that do most of
> our hosting and
> mail etc. I just started working here as a Network Admin and
> realized that the
> network is pretty wide open. (They're using NetBEUI still!!!)
NetBEUI is not a security problem from a WAN point of view (It's not
routable). It is, however, an indication that the previous network admins
were possibly lax - NetBEUI is pretty chatty and not much good for large
LANs.
> Currently we
[have our asses in the air]
>
> The web developers have kept it like this so that they can
> "browse" in windows
> to the web server and change sites while they're live.
Tell them to learn about UNC paths and deal with it.
> I will be
> setting up a WINS
> server to take care of that problem
Um...WINS servers don't give you network browsing. WINS servers do resolve
NetBIOS names to IP addresses, which is most of the battle though. Browsing
is done by communication with a "Master Browser". I have had several
problems with WINS servers being set but browsing not working at all -
sometimes you need to use an LMHOSTS file with a master browser entry. Yes,
it sucks. If you can get away with not having browsing, then you'd be much
happier.
>
> Obviously this setup can't continue. After browsing this
> group for a while
> and reading the archives I've made an initial plan and had
> some questions:
>
> Proposed network layout:
>
> - Setup IP filtering on Router to Internet
> - Behind the router will then be the DMZ (is this correct?
> Should I setup a
> firewall behind the router and then the DMZ?)
Usually the area between the external choke point and the internal choke
point is the DMZ. A firewall between the external router and the DMZ
(router--firewall--DMZ--firewall--underbelly) is optional.
> - In the DMZ I will have my Web Servers, Mail Server, DNS, and FTP.
> - Behind the DMZ is the firewall ( I haven't decided which one to use
> yet...probably FW-1 NT)
Patchy patch patch. 8) Don't run the VPN stuff and don't use FTP through it
(is that right, guys?).
> - This firewall will use NAT to make internal network
> "invisible" and use
> 192.168.x.y addresses for internal workstations.
>
> Now for the Questions:
> 1) How can I set this up so my Developers can still browse
> with Windows
> Explorer to a mapped drive on a server in the DMZ?
Drive mapping is done with normal NetBIOS stuff. Set up your firewall rules
right and this will Just Work. You need ports 137,8,9.
> 2) Should the WINS server be on the internal network? Will
> WINS help me in
> this situation?
Yes, it should. No, it probably won't. If you map the drives via IP address
(in a logon script, for example) then you should have no need to resolve
NetBIOS names at all. YOu would only need a WINS server if you wanted to be
able to access stuff like //BIGWEB/SOMESITE/ (UNC pathnames).
> 3) My web servers are multi-homed with up to 100 IPs on a
> single system, will
> this cause any problems for me?
Yes. You have 100 virtual servers to administer. 8)
> 4) What software would I use as a Bastion Host, I see the
> term all the time,
> but are there any commercial (or Free) software/OS packages
> that are used
> for this purpose?
A "Bastion Host" simply means that the host has been hardened such that it
is prepared to come under attack. In essence, it is referring to the degree
to which the box itself has been secured, PRIOR to installing the software
which will be its main function. Your externally accessible WWW/DNS/FTP
servers should be "Bastion Hosts". Stefan Norberg's paper, "Build an NT
Bastion Host in Practice" (from memory) is good, but aimed at WWW servers. I
also posted a procedure for building NT prior to a firewall installation a
while back(which should be archived somewhere).
> 5) What kind of IP filtering rules should be on my router?
How long is a piece of string? Seriously, allow access to the services you
know you're providing and no more. HTTP, FTP, DNS etc etc etc.
> 6) Should I setup a different NT Domain for the servers and
> one for the
> internal workstations? Then Setup a one-way trust relationship?
My _real_ opinion is that the externally visible NT servers shouldn't be in
a domain at all - in fact, I usually rip out all the NetBIOS guts
completely. I doubt you'll be able to get that past your web developers
though.
I would put them in a different domain altogether and have no trusts. When
you first map a drive it will ask for a password, but then Win9x boxen will
cache that password insecurely in a .pwl file so it's fairly transparent for
lusers.
> 7) Should I be using NAT on the firewall with private IPs
> inside, or will this
> not allow me to communicate with the NT servers in the DMZ.
The NT servers in the DMZ will simply see connections for the NAT'ed IP
address. The connectivity shouldn't be an issue. Be aware that some
implementations of NAT break NetBIOS stuff - I'd confirm that the firewall
vendor you choose doesn't have this problem.
> 8) Is there anything else I should be concerned about or
> address when setting
> up my security system? (aside from the obvious ones)
Yes - You're running NT servers with (presumably) IIS as your business
platform.
>
> Thanks for your help!
That's what we're here for...
>
> Aaron Rothschild
>
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
