Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by Tom » Sun, 23 Sep 2007 20:15:53



Hello folks!

I am administering a small Network with some Linux boxes as servers and some
Windows based clients.
Now i am thinking about expanding this network with some additional
features.
The purpose of my thread is, to get some advice of you guys on how you would
set this whole thing up, concerning the architecture of the network.

************
For the moment the network looks like this:

1. Linux box with 2 NICs:
    - Firewalling between NIC1 (Internet Modem) and NIC2 (LAN)
    - DNS
    - DHCP

2. Linux box:
    - Samba, being the fileserver for the network as well as the PDC and
WINS

3.-7.: Windows clients
************

Now my situation is the following:
- I want to add the following servers:
    - FTP
    - HTTP
    - VPN having access to the windows domain of samba
    - Proxy
- I have 2 further PCs at my disposal (ranging from 400MHz to 850MHz)

My question is, on how I should design this network to make most sense in
terms of security and network logic. For instance a question would be if I
can set up the Proxy on the same box as the firewall with it's two NICs, or
if I should move it to a sperate PC having also 2 NICs, and to connect it's
NIC1 to the firewall and it's NIC2 to the LAN.

For instance: Does it make sense to do the following:

DSL----(NIC1)[Linux1 being Firewall](NIC2)----(Nic1)[Linux2 being
Proxy](Nic2)----LAN
on the LAN-Switch connected:
- Linux3 being: HTTP, FTP, DNS, DHCP
- Linux4 being: SMB PDC
- 5 Win clients

or is that much to complicated and overkill?
 How would you design the network with the given hardware?
Where would you place the VPN-server which should have acess to the shares
on the SMB-fileserver?
Could I still pass via SSH from internet to the Linux boxes everywhere?

Thanks for any idea
Tom

 
 
 

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by Tom » Sun, 23 Sep 2007 20:59:20


P.S.:

I would also love to get some hints on the following:

- How to plan the network concerning having a DMZ
- Do you know any good sites with images of network toplologies, for
example: http://www.linuxnetmag.com/de/issue7/m7smoothwall1.html
- Do you know any good out-of-the-box solutions as smoothware, in terms of a
linux-solution that comes with all the tools needed?

Thanx
Tom

 
 
 

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by David Brow » Mon, 24 Sep 2007 08:24:13



> Hello folks!

> I am administering a small Network with some Linux boxes as servers and
> some Windows based clients.
> Now i am thinking about expanding this network with some additional
> features.
> The purpose of my thread is, to get some advice of you guys on how you
> would set this whole thing up, concerning the architecture of the network.

> ************
> For the moment the network looks like this:

> 1. Linux box with 2 NICs:
>    - Firewalling between NIC1 (Internet Modem) and NIC2 (LAN)
>    - DNS
>    - DHCP

> 2. Linux box:
>    - Samba, being the fileserver for the network as well as the PDC and
> WINS

> 3.-7.: Windows clients
> ************

> Now my situation is the following:
> - I want to add the following servers:
>    - FTP
>    - HTTP
>    - VPN having access to the windows domain of samba
>    - Proxy
> - I have 2 further PCs at my disposal (ranging from 400MHz to 850MHz)

> My question is, on how I should design this network to make most sense
> in terms of security and network logic. For instance a question would be
> if I can set up the Proxy on the same box as the firewall with it's two
> NICs, or if I should move it to a sperate PC having also 2 NICs, and to
> connect it's NIC1 to the firewall and it's NIC2 to the LAN.

> For instance: Does it make sense to do the following:

> DSL----(NIC1)[Linux1 being Firewall](NIC2)----(Nic1)[Linux2 being
> Proxy](Nic2)----LAN
> on the LAN-Switch connected:
> - Linux3 being: HTTP, FTP, DNS, DHCP
> - Linux4 being: SMB PDC
> - 5 Win clients

> or is that much to complicated and overkill?
> How would you design the network with the given hardware?
> Where would you place the VPN-server which should have acess to the
> shares on the SMB-fileserver?
> Could I still pass via SSH from internet to the Linux boxes everywhere?

> Thanks for any idea
> Tom

One thing to consider is to use virtual servers, especially a
light-weight virtualisation solution like openvz or linux-vserver.  I've
got a machine at the office with openvz - using a simple script, I can
set up a new machine with a minimal debian installation (32-bit or
64-bit - they can be mixed as long as the host is 64-bit) in a couple of
minutes.  If I decide I've made a mess of the setup of a particular
service, it's only another couple of minutes to delete the virtual
server and start again.

Keeping things in virtual servers has three big advantages that I see.
One is security - you keep your services separate, and any break-in on
your http server (for example) does not affect your other servers.
Since the openvz guests don't have any valid login users (even root can
be locked - you can enter the guest from the host), they are more
difficult to exploit.  Secondly, you have scalability advantages - you
make good use of a modern server PC, and when it starts to get
stretched, you can migrate some of the virtual servers onto a new
machine.  The third big advantage I see is that with services running on
separate virtual machine, each virtual machine is kept much simpler and
cleaner, and can be updated separately.  If one service requires Python
2.4 or above, and another won't work with anything newer than Python
2.3, you've got no conflicts when they are on different virtual servers.

mvh.,

David

 
 
 

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by Tom » Wed, 26 Sep 2007 23:06:26


Ok, I have found a very nice turn-key solution. It is a Linux
Routing/Firewalling/Gateway security distribution, supporting the
installation of a DMZ and wireless hotspots.
For anybody who is interested in somethin like that:
http://en.wikipedia.org/wiki/Endian_Firewall

Now what remains is a solution for the remaining services as SMB, FTP, HTTP.
I might set up a openSuSE or Kubuntu for that and administer the services
via Webmin. Alternatively I have found this: http://www.eisfair.org/

Many greetings

tomakos

 
 
 

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by MoMul » Sat, 29 Sep 2007 23:35:36



Quote:> Hello folks!

> I am administering a small Network with some Linux boxes as servers and some
> Windows based clients.
> Now i am thinking about expanding this network with some additional
> features.
> The purpose of my thread is, to get some advice of you guys on how you would
> set this whole thing up, concerning the architecture of the network.

> ************
> For the moment the network looks like this:

> 1. Linux box with 2 NICs:
>     - Firewalling between NIC1 (Internet Modem) and NIC2 (LAN)
>     - DNS
>     - DHCP

> 2. Linux box:
>     - Samba, being the fileserver for the network as well as the PDC and
> WINS

> 3.-7.: Windows clients
> ************

> Now my situation is the following:
> - I want to add the following servers:
>     - FTP
>     - HTTP
>     - VPN having access to the windows domain of samba
>     - Proxy
> - I have 2 further PCs at my disposal (ranging from 400MHz to 850MHz)

> My question is, on how I should design this network to make most sense in
> terms of security and network logic. For instance a question would be if I
> can set up the Proxy on the same box as the firewall with it's two NICs, or
> if I should move it to a sperate PC having also 2 NICs, and to connect it's
> NIC1 to the firewall and it's NIC2 to the LAN.

> For instance: Does it make sense to do the following:

> DSL----(NIC1)[Linux1 being Firewall](NIC2)----(Nic1)[Linux2 being
> Proxy](Nic2)----LAN
> on the LAN-Switch connected:
> - Linux3 being: HTTP, FTP, DNS, DHCP
> - Linux4 being: SMB PDC
> - 5 Win clients

> or is that much to complicated and overkill?
>  How would you design the network with the given hardware?
> Where would you place the VPN-server which should have acess to the shares
> on the SMB-fileserver?
> Could I still pass via SSH from internet to the Linux boxes everywhere?

> Thanks for any idea
> Tom

On Linux 1 box set up the additional servers = VPN and Proxy

On Linux 2 box set up the additional servers = ftp http

My setups generally go like this:

1) Install Mandriva on Linux 1 box.  Set up shorewall(firewall),
squidproxy(proxy), OpenVPN(VPN).
2) Install Mandriva on Linux 2 box.  Set up apache(http), proftp(ftp).

Heck, you could use a third Linux 3 box if you wanted strictly for
SAMBA(Windows anthentication and file sharing).

There have been times when I installed the following servers on a
single Linux box: ftp, http, vpn, firewall, email, proxy, and VoIP
(maximum of 6 simultaneous users).  The machine was peacemeal with a
rather small hdd and slow processor with 512RAM.  The system supported
roughly 30+ users with no complications or degredation - so long as I
remembered to clear out the logs and squid cache from time-to-time.
It really comes down to what you want to "try out" for learning
purposes...

Your plans are quite commendable - good luck!

Deion "Mule" Christopher

 
 
 

Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

Post by Tom » Mon, 01 Oct 2007 02:32:05


Hello Deion!

Quote:> 1) Install Mandriva on Linux 1 box.  Set up shorewall(firewall),
> squidproxy(proxy), OpenVPN(VPN).
> 2) Install Mandriva on Linux 2 box.  Set up apache(http), proftp(ftp).

> Heck, you could use a third Linux 3 box if you wanted strictly for
> SAMBA(Windows anthentication and file sharing).

Thank you for your reply!

I have finished today my installations, and am very happy, that my
configuration actually meets your adviced one almost 100%. So I assume, that
I have done the right thing!
I chose the 3 box config.

Thank you for your advice!

Greetings
tom

 
 
 

1. ftp client proxy ms proxy firewall http proxy unix

for a unix ftp client that works through MS proxies, even with NTLM
authentication, go to this link...
  http://unix.about.com/cs/appsftp/
on the link above, 'curl' and 'lftp' seem to be teh best two i've ever
used, but be warned that curl will require openssl libraries as well
as zlib libraries.

you might also get errors with ld.so.1 or something such as this...
    ld.so.1: fatal
    No such file or directory
    ImportError: ld.so.1
if you get this kiind of error, then search groups.google.com for my
explanation on this kind of Nasty error which has fooled/beaten many a
rookie.

for NTLM authentication (MS Proxy Firewall or MS ISA Firewall), get on
www.sourceforge.net and look for 'NTLM Proxy Authentication' and then
find a program called (i think the program is called 'aps' it's
written by Dmitry Rozmanov) download it and configure it for your MS
Proxy/ISA Firewall. it might require the python intepreter, download
the python intepreter if you DON'T already have it. be patient,
everything will eventually work for you once you've read all the
manuals.
___________________________________________
Moses Motlhale - Solutions Architect
24th Century Solutions, South Africa.

2. EEpro100 problems with 2.2.17 (RedHat 7.0/alpha)

3. Linux serving Inet-proxy, DHCP, DNS, ftp, http, everything

4. help: need client for creating RGB colours

5. Need advice re chaining http proxies

6. Gnome/GTK About Widget and Memory

7. FTP by proxy - firewall's HTTP port

8. Is there a driver for IBM optical disk MD3125 under Linux ?

9. Need help: non-proxy SSH HTTP tunneling

10. Firewall / Proxy Issue... Advice needed...

11. Need advice on linux Proxy/firewall

12. Need help from public http/ftp proxy sites -- to defeat tyrany

13. apache http proxy - http/1.0 vs http/1.1