Securing a vlan ??

[snootalope]

Hey guys

I'm testing putting a web server in house and I've got a few questions about my options of securing it from the rest of the "domain". The web server itself won't actually be part of our Active Directory domain, but it will be sharing a switch with the rest of my servers (same lan segment/ip scope).

My concern is if the web server is hijacked from outside, how am I going to stop a trojan or an actually hacker from getting further in the network.

First of all, I know a DMZ is the right thing to do here, but my options just can't include the DMZ at the moment. Maybe down the road.

I have brand new 3550 Cisco Switches and most of them are configured with VLANs (VoIP system). Anyway, does anyone know if there's any options i can explore as far as locking down a particular port from the rest of the ports on the network? Kind of like an ACL... I only need a few service to get to and from the server, anyway I can lock the rest?

Thanks for any advice!
-snooter

 

[KiscoKid]

The 3550 (with EMI image) can support both Layer 3 and Layer 2 (VLAN) ACLs.

Layer 3 ACLs can control what traffic is allowed from VLANs that are external to the VLAN your web server resides upon.

Layer 2 VLAN ACLs can control what traffic is allowed from hosts on the same VLAN as the server.

The following URL goes into a lot of detail about it:

http://www.cisco.com/en/US/partner/...figuration_guide_chapter09186a00801f0a3c.html

 

[snootalope]

Thanks for the info! I'll check it out.

Hey, I'm trying to setup a little test lab but I'm having a stupid little issue here I can't figure out.

I'm trying to chain or uplink to 3500 switches just using the 10/100 ports. Do I have to use a cross over cable? Thought I did.. but it's not working. I've got both switchports completly black (no configs) and still can't get anykind of connectivity. What am i doing wrong?

 

[KiscoKid]

A crossover is what I'd expect: pins 1,2,3 and 6 all crossed. Maybe try a standard straight cable as well.

Also make sure that both the attached ports have had the 'no shut' command applied to them otherwise you'll never be able to establish a physical connection between them.

 

[snootalope]

Yeah, I tried a xover, but I've got a few other switches here that are chained just via a straight through cable..

I setup the ports just like any other switch, they both say:

interface FastEthernet0/01
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 172
end

still, no connection! i've tried different ports on the switch, too. ???

 

[KiscoKid]

Try a new straight and crossover cables.. ones you know have worked previously. Cable faults are probably the most common fault you see.

 

[snootalope]

yep, tried that too. I don't know what the hecks going on..

Anyway.. I'll just steal a gbic from another switch quick and do some testing.

I setup an acl like so:

access-list 101 deny icmp any any

But apparently, after reading a little more, the 3524xl switches I have don't support this. So why the heck are the commands there!??

Do I have to assign certain ports to a "policy" in order ot make the access list affective? I tried configuring the gbic port, but it doesn't have an "ip access-group" command and that's the only one I'm familiar with. Do you know anymore?

 

[snootalope]

The heck with it. I might as well try and do this right.

I'm thinking about buying one of those little Watchgaurd Firebox 6 devices and just keeping that between the rest of my network and my web server.

Does having all the internet traffic flow like this defeat the purpose though?

Internet--PIX--ISP hub--router--switches--Domain

Internet--PIX--ISP hub--router--switches--Firebox--web server

What do you think about that? At least I could control traffic to and from the web server right..

 

[voltron1011]

If you ever end up putting in more servers, you can put them in a private-vlan. That way they won't talk to each other.