I read several threads about the best way to setup Internet services such as HTTP and FTP so that external users can access them. From past experience I've learned that the best way, resources permitting, is to create a DMZ off a border router or firewall the uses NAT and private address spaces. This scenario keeps inbound connections off your local network where they don't belong. Even if the server were to get compromised by an intruder, they'd have nowhere to go. Here's what we did: Excluding the firewall's and IDS systems that were in place, we had a T1 (Internet connection) connected to a border router. The T1 connected to Serial0/0 and had minimal filters assigned to limit the types of traffic allowed into the network. We then set up a DMZ off of FastEthernet0/0 with proper access control lists to allow only established connections to leave the DMZ. And then had our internal network off FastEthernet0/1. The DMZ was configured with a private address space (192.168.1.x) using NAT to map to the services. Ideally you should triple check all servers sitting in the DMZ to verify that they are completely locked down. We ran NMAP and other tools to check what ports were open for connections. We also ran server tools (such as tripwire) to keep tabs on changed files. As you can see, securing the network is only the first steps...making sure the servers are locked down is just as important. We found that writing an SOP (standard operating procedure) and sticking to it for hardening the servers helped. David Ishmael, CCNA, IVCP Senior Network Management Engineer Windward Consulting Group, Inc. Phone: (703) 283-7564 Pager: (888) 910-7094 eFax: (425) 969-4707 Fax: (703) 351-9428 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
