Possible Netowrk Setup -- Suggestions Please

Possible Netowrk Setup -- Suggestions Please

Post by Dan Serba » Mon, 27 Aug 2001 15:13:21



I am not new to the networking world or Linux, but I am looking for a little
input in this instance.  What I'm essentially trying to do is get a
locked-down network that is very secure and uses all services through a
central gateway, services such as DNS, Apache, NIS, NFS, Samba, NAT, and IP
Filtering.  Now my first question is:  is this set-up feasible from a
security perspective and/or feasiblity in setup on a gateway machine?

DNS - Allow all internal machines to use this server as a name server and an
outside name (ie. query the internal server to resolve names on the
internet) caching server.
Apache - Allow only internal machines to access this service.
NIS - Allow only internal machines to access this service.
NFS - only internal machines.
Samba - only internal machines.
NAT - "Masquerade" internal machines on the internet.
IP Filtering - Firewalling rules which drop any requests to the gateway
except for the above services to the internal net.

Now I've heard arguments about putting this particular mixture of services
on one machine, especially a gateway/firewall.  Can someone substantiate
this advice?

I will also be doing some port forwarding in the near future to distribute
some services offered by this one machine.

So can anyone share their thoughts on such a setup ... positive and/or
negative?

Thank you,
Dan Serban

 
 
 

Possible Netowrk Setup -- Suggestions Please

Post by ll » Mon, 27 Aug 2001 15:49:32


If you're asking about running these services on a firewall/gateway box that
will sit between your lan and the internet, I wouldn't.  You want your firwall
to be stripped down to just ipchains and masquerading and ssh server,
basically.  Running any other services on your firewall ups the chances of it
getting cracked and leaving your entire lan exposed.  Put the webserver behind
the firewall, as with the other stuff, and use port forwarding as you said if
you want to let the outside world access one of these services specifically.  My
firewall is coyote linux--no hdd.  Just ipchains, masq, ipportfw, and a ssh
server.  Not a whole lot of goodies for a cracker to work with.  Volitile or
insecure services (sendmail, bind) should probably sit outside your firewall if
you offer them to the outside world so if they get cracked you'll still be in
good shape.
Quote:> I am not new to the networking world or Linux, but I am looking for a little
> input in this instance.  What I'm essentially trying to do is get a
> locked-down network that is very secure and uses all services through a
> central gateway, services such as DNS, Apache, NIS, NFS, Samba, NAT, and IP
> Filtering.  Now my first question is:  is this set-up feasible from a
> security perspective and/or feasiblity in setup on a gateway machine?

> DNS - Allow all internal machines to use this server as a name server and an
> outside name (ie. query the internal server to resolve names on the
> internet) caching server.
> Apache - Allow only internal machines to access this service.
> NIS - Allow only internal machines to access this service.
> NFS - only internal machines.
> Samba - only internal machines.
> NAT - "Masquerade" internal machines on the internet.
> IP Filtering - Firewalling rules which drop any requests to the gateway
> except for the above services to the internal net.

> Now I've heard arguments about putting this particular mixture of services
> on one machine, especially a gateway/firewall.  Can someone substantiate
> this advice?

> I will also be doing some port forwarding in the near future to distribute
> some services offered by this one machine.

> So can anyone share their thoughts on such a setup ... positive and/or
> negative?

> Thank you,
> Dan Serban


 
 
 

Possible Netowrk Setup -- Suggestions Please

Post by David Macka » Mon, 27 Aug 2001 21:58:28



> I am not new to the networking world or Linux, but I am looking for a little
> input in this instance.  What I'm essentially trying to do is get a
> locked-down network that is very secure and uses all services through a
> central gateway, services such as DNS, Apache, NIS, NFS, Samba, NAT, and IP
> Filtering.  Now my first question is:  is this set-up feasible from a
> security perspective and/or feasiblity in setup on a gateway machine?

It's certainly feasible to set it all up on one machine.  It's not sound
from a security standpoint.  You're putting all of your eggs in one basket.

Quote:> DNS - Allow all internal machines to use this server as a name server and an
> outside name (ie. query the internal server to resolve names on the
> internet) caching server.
> Apache - Allow only internal machines to access this service.
> NIS - Allow only internal machines to access this service.
> NFS - only internal machines.
> Samba - only internal machines.
> NAT - "Masquerade" internal machines on the internet.
> IP Filtering - Firewalling rules which drop any requests to the gateway
> except for the above services to the internal net.

> Now I've heard arguments about putting this particular mixture of services
> on one machine, especially a gateway/firewall.  Can someone substantiate
> this advice?

> I will also be doing some port forwarding in the near future to distribute
> some services offered by this one machine.

> So can anyone share their thoughts on such a setup ... positive and/or
> negative?

Most of the services that you describe for internal use aren't a
problem.  When you talk about allowing outside access to web services
(or SMTP, though you didn't mention that), then you are looking at
vulnerabilities in the services that hackers will try and exploit.
Standard practice for web and email servers is to put them in a DMZ.  If
you've got a firewall/router with several nics, then you put your
servers that will be publicly accessed on a seperate network segment,
then you firewall that segment so that you restrict access from your DMZ
back into the internal network.  That way, if one of them is
compromised, then the attacker still doesn't have access to your
internal net.  As a thought, quite a few places will sell used systems
for under $400 USD that are more than adequate to handle a number of
functions, like web hosting and email for small networks.

Dave