Firewall recommendations/advice - Would this work?

Firewall recommendations/advice - Would this work?

Post by Erick Thomps » Sat, 10 Jul 1999 04:00:00



Hello,

        I'm currently running a linux 2.0 box doing IP_masq to allow the
internal network to access the internet. Everything works great, I have
30 people going through a 386sx/16. However, we are now adding a new
website that requires access to a MS SQL server running on NT. I want to
isolate the NT system as much as possible, but I have a number of
internal apps that also use the SQL server. So I've come up with the
following idea.

I define three networks, the internal network, the DMZ, and the internet.
The webserver (plus email server, etc) exist on the internet (on the
segment that is directly attached to the router). The SQL Server will go
in the DMZ.

In order for the web server to access the SQL server, I have a IP_Masq
box that denys all incoming connections (incoming from the internet)
except for those coming from the webserver over the SQL port. I allow it
to forward everything.

I set up another IP_Masq system that sits between the DMZ and the
internal network, and it lets anything through to the DMZ, and so to
either the SQL Server or the Internet.

So what I have is:

Internet ----- firewall #1 ----- DMZ ----- firewall #2 --- Internal
            <- everything               <- everything
            -> only SQL port from IP    -> nothing

First, does this sound like a good idea? Are there any holes in this type
of setup? Can anyone suggest any improvements.

If this looks good, would the systems on the internal network (win95/98
boxes) need to have any special network setup? I would think that making
the gateway the system between the internal network and the DMZ would
work.

Thanks for any help,
Erick Thompson

 
 
 

Firewall recommendations/advice - Would this work?

Post by Eugen » Sat, 10 Jul 1999 04:00:00


so essentially you have local net behind two firewalls (or did I
misunderstand something?)
that's kind of a convoluted set up. The best way would be to put the SQL
server on the LAN and have the Linux box do port forwarding. This way, the
web server would think it would be talking to the LAN's firewall, when in
fact the firewall would forward everything to the SQL server. Obviously
you'd want to allow only the web server to connect to that port, etc. The
local machines would be able to connect to the SQL server since they are all
on the local network.
You can find the information about it at www.linux.org/help
BTW, what the hell does DMZ stand for?


Quote:> Hello,

> I'm currently running a linux 2.0 box doing IP_masq to allow the
> internal network to access the internet. Everything works great, I have
> 30 people going through a 386sx/16. However, we are now adding a new
> website that requires access to a MS SQL server running on NT. I want to
> isolate the NT system as much as possible, but I have a number of
> internal apps that also use the SQL server. So I've come up with the
> following idea.

> I define three networks, the internal network, the DMZ, and the internet.
> The webserver (plus email server, etc) exist on the internet (on the
> segment that is directly attached to the router). The SQL Server will go
> in the DMZ.

> In order for the web server to access the SQL server, I have a IP_Masq
> box that denys all incoming connections (incoming from the internet)
> except for those coming from the webserver over the SQL port. I allow it
> to forward everything.

> I set up another IP_Masq system that sits between the DMZ and the
> internal network, and it lets anything through to the DMZ, and so to
> either the SQL Server or the Internet.

> So what I have is:

> Internet ----- firewall #1 ----- DMZ ----- firewall #2 --- Internal
>             <- everything               <- everything
>             -> only SQL port from IP    -> nothing

> First, does this sound like a good idea? Are there any holes in this type
> of setup? Can anyone suggest any improvements.

> If this looks good, would the systems on the internal network (win95/98
> boxes) need to have any special network setup? I would think that making
> the gateway the system between the internal network and the DMZ would
> work.

> Thanks for any help,
> Erick Thompson


 
 
 

Firewall recommendations/advice - Would this work?

Post by Erick Thomps » Sat, 10 Jul 1999 04:00:00




Quote:> so essentially you have local net behind two firewalls (or did I
> misunderstand something?)
> that's kind of a convoluted set up. The best way would be to put the SQL
> server on the LAN and have the Linux box do port forwarding. This way, the
> web server would think it would be talking to the LAN's firewall, when in
> fact the firewall would forward everything to the SQL server. Obviously
> you'd want to allow only the web server to connect to that port, etc. The
> local machines would be able to connect to the SQL server since they are all
> on the local network.

I thought of doing this, but I was concerned of: my web server being used
to break into the SQL server. If the web server was broken (possible with
all those scripts, etc), there is a change that the SQL could system
fall. I figured that this could happen (remote chance, but possible) as
the SQL server can get packets from the web server, leaving the way for
buffer overruns, etc.

This is bad, but what is worse is that the SQL system would have full
access on the internal network. So from here, it's a fairly simple matter
to get to the fileserver, people who turn shares on, etc.

My reasoning on the three network system is that there is no way for
anything to come from the DMZ into the internal network. Doesn't matter
where it comes from, everything is rejected at the second firewall. That
way, if I lose the database, at least the file server is still protected.

I may be paranoid, but I figure why take the chance.

Quote:> You can find the information about it at www.linux.org/help
> BTW, what the hell does DMZ stand for?

DeMilitarized Zone - it's the no-man's land between north and south
Korea. I've heard it used in network terms quite a bit as a network
segment that is protected, but not locked up.



> > Hello,

> > I'm currently running a linux 2.0 box doing IP_masq to allow the
> > internal network to access the internet. Everything works great, I have
> > 30 people going through a 386sx/16. However, we are now adding a new
> > website that requires access to a MS SQL server running on NT. I want to
> > isolate the NT system as much as possible, but I have a number of
> > internal apps that also use the SQL server. So I've come up with the
> > following idea.

> > I define three networks, the internal network, the DMZ, and the internet.
> > The webserver (plus email server, etc) exist on the internet (on the
> > segment that is directly attached to the router). The SQL Server will go
> > in the DMZ.

> > In order for the web server to access the SQL server, I have a IP_Masq
> > box that denys all incoming connections (incoming from the internet)
> > except for those coming from the webserver over the SQL port. I allow it
> > to forward everything.

> > I set up another IP_Masq system that sits between the DMZ and the
> > internal network, and it lets anything through to the DMZ, and so to
> > either the SQL Server or the Internet.

> > So what I have is:

> > Internet ----- firewall #1 ----- DMZ ----- firewall #2 --- Internal
> >             <- everything               <- everything
> >             -> only SQL port from IP    -> nothing

> > First, does this sound like a good idea? Are there any holes in this type
> > of setup? Can anyone suggest any improvements.

> > If this looks good, would the systems on the internal network (win95/98
> > boxes) need to have any special network setup? I would think that making
> > the gateway the system between the internal network and the DMZ would

 
 
 

Firewall recommendations/advice - Would this work?

Post by Duncan Simps » Thu, 15 Jul 1999 04:00:00



<stuff snipped>

Quote:>I thought of doing this, but I was concerned of: my web server being used
>to break into the SQL server. If the web server was broken (possible with
>all those scripts, etc), there is a change that the SQL could system
>fall. I figured that this could happen (remote chance, but possible) as
>the SQL server can get packets from the web server, leaving the way for
>buffer overruns, etc.

<possible security problems of cracked web sevre snipped>

Typically one would place both the database and web server in the
DMZ. One would make sure the database had no information people should
not be reading in it, of course. IF that means a seperate internal database
server then that is what you pay for the security.

Quote:>My reasoning on the three network system is that there is no way for
>anything to come from the DMZ into the internal network. Doesn't matter
>where it comes from, everything is rejected at the second firewall. That
>way, if I lose the database, at least the file server is still protected.

You probably need some minimal access from the internal network to the DMZ
machines and vica-versa. In particular you need to pass email... the usual
solution is allowing port 25 for one pair of boxen and have the internal
mail handling box fortified like the stuff in the DMZ (modulo what services
it needs to provide).

Admin acess is well served by ssh. The policy with servers is usually
shell access is only by ssh and limited to a minimal numner of
users. You can insist on specific host public keys too, which
obviosuly helps. Not networked logging host over serial lines for
critical servers are also popular---these are logs no cracker without
physical access can erase and twidling the time on networked machines
will have no effect. (You use these logs when disaster strikes).

[Typically you want some sort of simple summary logs regularly landing
in your mailbox as well.]

--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

 
 
 

1. Need advice/recommendation: Asus, NCR 53C810?

I'm looking to upgrade my motherboard (currently DX2/66 with
NO WAY of putting a DX4 in :-(

I've heard alot of talk about ASUS motherboards (Intel Triton
chipset) and my local dealer has also recommended the
ASUS PCI/I-P54TP4 motherboard.

Questions:

Q1: Of the 3 options: Burst-Mode, Pipelined-Burst, or
    Asynchronous SRAM, which should I get?

Q2: Is EDO really worth it (vs. 70ns Fast-Page DRAM)?

The dealer also recommended the ASAS PCI-SC200 SCSI controller,
based around the NCR 53C810 chip - probably because the Award
BIOS comes with the NCR PCI SCSI BIOS for the 53C810.

I've noticed a number of comments in comp.os.linux.*
about this chip: the linux driver is too alpha; it
doesn't take advantage or the faster memory-map mode, etc.

Q3: Are there REAL barriers to using this chip? What are the
    alternatives?

I would really, really, REALLY appreciate comments from people
who actually OWN this type of motherboard/controller.

Thanks in advance,
--

"...strange women lying in ponds, distributing swords is no basis for a system of
government. Supreme executive power derives from a mandate from the masses, not
from some farcical aquatic ceremony!"  (Monty Python's _Holy Grail_)
--

"...strange women lying in ponds, distributing swords is no basis for a system of
government. Supreme executive power derives from a mandate from the masses, not
from some farcical aquatic ceremony!"  (Monty Python's _Holy Grail_)

2. compile apache 1.326 + php is failing

3. Bridging Firewall - got bridging working, How do I firewall?

4. Com port, X Windows and FreeBSD

5. Need ISDN recommendations/advice

6. hard drive recommendations

7. Recommendation PLS:HDD 850MB/advice

8. Adaptec 142x SCSI problem

9. Need ISDN recommendations/advice

10. Toshiba Satellite 3005-S303: recommendations (good or bad) and advice needed

11. Recommendations/Advice Disk Arrays, EMC, NetApp Filer

12. AIX Certification: Advice, Tips, Suggestions, and Recommendations

13. Firewall Recommendations