Network Security Question

Mark Phillips plug-discuss@lists.PLUG.phoenix.az.us
Tue, 4 Sep 2001 14:53:57 -0700 

For all the network security gurus out there....

I have a network with 5 machines (Windows and Linux) connected to the
Internet. I am currently using a Win 95 as a proxy server (commercial
software - Wingate). I plan to add a Web server (apache, jsp, servlets,
etc.) on one of the Linux boxes. I am new to Linux and learning a lot as I
install, configure and use it!

My question relates to the network configuration. I have thought of three
options, and would like some opinions....

Option 1
Attach the Linux webserver to my internal network and open a port on the
proxy server to allow access. The down side is that anyone who gains access
to the Linux box will have complete access to my network. Since I am new to
Linux and network security I do not know how secure my Linux box is, nor do
I want to find out after the fact that it wasn't!

Internet ----->(nic1)Proxy(nic2)---->(internal network with all machines on
it)


Option 2
Use the Linux/webserver as a router and put it between my proxy server and
the Internet. This isolates the webserver from my network, so if it is
compromised, then all I loose is what is on that box. I figure restoring the
webserver/Linux box is good practice and a great learning experience....;) I
would add a second NIC to the Linux/webserver box:

Internet---->(nic1)Linux/webserver/router(nic2)---->(nic1)Proxy(nic2)---->(i
nternal network with all machines on it)


Option 3
Use the Linux/webserver as a router again (2 NICs) but put it between the
proxy server and the internal network. This puts the stronger security
device (proxy server, I think) as the front line of defense (some protection
for the web server?). The proxy has not been hacked in over 5 years of
operation, but I have never had a port open to my network before (e.g. I
opened a port to allow people to visit my web server).

Internet---->(nic1)Proxy(nic2)---->(nic1)Linux/webserver/router(nic2)---->(i
nternal network with all machines on it)

I am sure there are many other permutations - if there is a better one,
please let me know!

Thanks!

Mark Phillips

P.S. DO I need 2 NICs in the Linux box to act as a router? Is one
sufficient?