Newbie Network Design Question 2

[Silmeron]

Hi there,

I've been asked to set up a new network for my company, and I wanted to ask how this works specifically. Basically my network will look like so:

Internet -> Firewall -> (DMZ) FTP and mail relay (DMZ) -> Firewall 2 -> Internal Network.

This seems like a fairly secure solution for a company under 50 folks (I hope!

What I'd like to know is:

1) The first firewall should simply pass on port requests for our FTP and mail relay, correct? This mail relay is basically a "mail.mywebsite.com" that allows remote users to access their Exchange e-mail online.

2) How exactly would Internet access be dolled out to the Internal Network users? I'm slighly confused in this design about what IP addresses would be given to what systems, and which computers would need multiple netcards.

3) Any suggestions for an antivirus solution (for both desktops and Exchange) would be appreciated.

BTW, our entire network is W2K, W2K3, or WinXP based.

Thanks SO much!

-]S[-

 

[bcastner]

Umm, too many questions are raised to give you a complete answer, but:

1. There is no need for two firwalls
2. If you place your ftp, exchange server,etc. in the DMZ you could have fifty firewalls.
3. Start by think router. You want to begin with NAT services to all clients. You will need to "punch holes" in NAT to allow your exchange server and FTP to handle requests coming from the WAN side. This is usually called "Port Forwarding."
4. You mail relay is all HTTPS. Setup credentialed SSH access for the relays. You need to punch a hole for the SMTP service.
5. Once behind NAT, the biggest job for the firwall would be to close outgoing traffic generated by trojans. You want to make certain you do not apply Netbios and other routable protocols on the WAN side of the client, but you are effectively "firewalled" from the outside at this point.

 

[Silmeron]

Thanks bcastner,

I noticed I had probably confused the first "firewall" above with what would actually be the router. What might you suggest for a topology in this case? Basically I would just like to have a system with FTP and Outlook Web Access to the Internet, with everything else inside, thus would the following work well?

Internet -> Router -> (DMZ) FTP/OWA Server (DMZ) -> Firewall -> Internal Network

Thanks again!

 

[manarth]

Actually, the typical setup is:

Internet --> Firewall --> Router --> Switch.

Your router rules will allow you to nominate an IP address as the DMZ, or forward the required specified ports.

If you're only running a few server services (e.g. ftp & https) port forwarding would provide a more secure solution than the DMZ.

No computer would require multiple IP addresses, and the IP addresses would be allocated by whichever device you specify as the LAN's DHCP server - it could be the router, or a 2k server.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[Silmeron]

Thanks manarth,

Basically all we'd like to do is have FTP and Outlook's Web Access (through Exchange) available on the Internet, with everything else intended to be secure. Our web site is hosted by our ISP.

Would you even recommend a DMZ in this case then? Sorry for the newbie questions, I'm a programmer by trade, not an IT admin

Would this make security sense then:

Internet
|
Firewall
|
Router--+
| |
| +--- FTP / OWA server (NOT on DMZ)
|
Switch
|
Internal Net

Again, thank you very much!

 

[manarth]

I'm not to sure how you plan to have 2 devices coming directly off the router (unless it's got an integrated switch) - security wise, it make no difference if you plug the FTP server into the same switch as the rest of the LAN.
[tt]
Internet
|
Firewall
|
Router
|
|
|
Switch - FTP / OWA server
|
Internal Net[/tt]

What's important is that you only forward the ports you need to the server, and that the server is locked down! A number of vulnerabilities exist simply because a web server is left in it's default state (MS pre-installs a number of scripts). The network design shown above is fairly standard.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]