physical Topology

augustmcdaniel
Posts: 3
Joined: Mon Feb 16, 2009 11:38 pm

physical Topology

Postby augustmcdaniel » Mon Feb 16, 2009 11:43 pm

Can anyone give me advice on the most secure setup for my new network. I was thinking it would go like this....ISP... to ISP supplied Modem.... to Lensky router....to Server....to switch/hub....to workstations, printer, WAP, etc! Does this sound about right? :?: :idea: :D

User avatar
moredruid
Expert
Posts: 791
Joined: Tue Jan 20, 2009 1:33 am
Location: Netherlands
Contact:

Re: physical Topology

Postby moredruid » Tue Feb 17, 2009 12:51 am

That setup may work depending on your environment/requirements.
Most importantly: will the server be connected to the internet serving anything? This is the most important consideration. If it will only proxy or route internet / mail from the office then you should be fine with the setup you described. If you want more you'll have to consider strengthening the security of that system. Ideally you will then want 2 servers: 1 very secure DMZ server connected to the internet (serving pages, mail etc.) and 1 normally secured server for your internal network.

You can of course combine all tasks (NOT recommended), but then you'll have to strengthen the security of your setup!
In linux-land there are lots of tools which make this possible, but you'll have to know what you're doing and keep in mind that security is NEVER a "solution", it can only be a "process" since the requirements may change on a daily basis, so you'll always have to keep up to date.

This is why admining 2 servers can be less of a task than only 1. Your DMZ server needs constant attention, however you can make trade-offs for security by having a good (working & tested) backup of your server, in case it gets rooted you can be back up within a few hours without losing too much data and without having compromised your workgroup server. If you have the roles combined in 1 server you must keep everything up to date, considering all changes you make with the current status quo, will it break something or not etc.

In short: it's easier to have an old computer (a 300 MHz Celeron with 256MB or maybe 512MB RAM will do very well) as your DMZ server doing it's serving that is allowed to "break" (a little, and hopefully not at all) facing the internet and another computer serving your workgroup/office.
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D2173656C7572206968616D41snlbxq' | dc
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD

augustmcdaniel
Posts: 3
Joined: Mon Feb 16, 2009 11:38 pm

Re: physical Topology

Postby augustmcdaniel » Wed Feb 18, 2009 2:41 pm

Maybe try to simple that down a little?!

augustmcdaniel
Posts: 3
Joined: Mon Feb 16, 2009 11:38 pm

Re: physical Topology

Postby augustmcdaniel » Wed Feb 18, 2009 2:46 pm

I'm just doing it for fun and to see if I can. What is DMZ?

User avatar
cpg
Administrator
Posts: 2618
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: physical Topology

Postby cpg » Wed Feb 18, 2009 5:35 pm

Maybe try to simple that down a little?!
let me try:
  • you should have a firewall between the WAN (Wide Area Network) and the LAN (Local Area Network). some of them come included with the modem if it's also a router. this is the most important thing about having a secure network. you can buy some of these with WiFi support and all fairly
  • in the inside part of the firewall, the LAN (local area network), you just run a network in whichever way you want
  • your HDA has to be in the inside network, but not as a gateway (that can be done, by advanced users, however, it's not really supported out of the box)
  • to get all the benefits of the amahi HDA you can turn off DHCP server in your router/gateway and use the HDA as DHCP server
does that help?
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

User avatar
moredruid
Expert
Posts: 791
Joined: Tue Jan 20, 2009 1:33 am
Location: Netherlands
Contact:

Re: physical Topology

Postby moredruid » Thu Feb 19, 2009 12:31 am

I'm just doing it for fun and to see if I can. What is DMZ?
what is a DMZ? hmm, wikipedia can explain that very thoroughly

In short: it means that you have a special area in your network to and from which traffic from the internet is accepted. For larger organisations this is usually a physical setup like this:

internet --- router --- firewall --- DMZ --- firewall -- internal LAN

the internet is... well the internet... the router accepts connections and routes them (it can usually also filter some traffic as well)... firewall blocks any unwanted stuff (this is also sometimes combined with an antispam solution before mail hits your mailserver)... DMZ is where your mailserver/webserver is located... another firewall (sometimes) for extra security, your LAN can be connected to the 1st firewall as well...

Think of the DMZ as a sort of crumple zone (like in your car)... if a hacker compromises your web/mailserver (car analogy: a truck rams you ;) ) your internal network is still safe (you are still safe in the car, th crumple zone will take the real hit and in the cabin you have airbags popping here and there and you have this cage construction protecting you). You might have some damage, but at least you're still in good enough shape to fix stuff. :)
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D2173656C7572206968616D41snlbxq' | dc
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD

Who is online

Users browsing this forum: No registered users and 18 guests