Network Security Question

George Toft plug-discuss@lists.PLUG.phoenix.az.us
Tue, 04 Sep 2001 18:24:08 -0700 

Hi Mark,

My suggestions:

#1 (simple)
Internet ----->(nic1)Linux(nic2)---->(internal network with all machines
on it)

Adjust IPChains to block everything incoming except port 80, and
masquerade all outgoing traffic.

#2 (more complex)
Internet ----->(nic1)Linux(nic2)--+-->(all machines)
                                  |
                                  +-->Web server

Set up IPMasq rules to block everything incoming except port 80,
which you forward to your Linux Web server (on the inside).

#3 (most complex)
Internet
  |
  |
(nic1)
Linux Firewall
(nic2)
  |
  |
  +-->Web server
  |
  |
(nic1)
Linux Firewall
(nic2)
  |
  |
(all machines)


I ran with solution #1 for almost two years.  Once I figured out
how to secure it, I had no problems.  Except for my web server
(which I get free hosting), I still have #1.

Until you learn much more about Linux Firewalls, I suggest something
like #1 using Freesco or coyotelinux.  Of course, this list is a
great resource.

George



Mark Phillips wrote:
> 
> For all the network security gurus out there....
> 
> I have a network with 5 machines (Windows and Linux) connected to the
> Internet. I am currently using a Win 95 as a proxy server (commercial
> software - Wingate). I plan to add a Web server (apache, jsp, servlets,
> etc.) on one of the Linux boxes. I am new to Linux and learning a lot as I
> install, configure and use it!
> 
> My question relates to the network configuration. I have thought of three
> options, and would like some opinions....
> 
> Option 1
> Attach the Linux webserver to my internal network and open a port on the
> proxy server to allow access. The down side is that anyone who gains access
> to the Linux box will have complete access to my network. Since I am new to
> Linux and network security I do not know how secure my Linux box is, nor do
> I want to find out after the fact that it wasn't!
> 
> Internet ----->(nic1)Proxy(nic2)---->(internal network with all machines on
> it)
> 
> Option 2
> Use the Linux/webserver as a router and put it between my proxy server and
> the Internet. This isolates the webserver from my network, so if it is
> compromised, then all I loose is what is on that box. I figure restoring the
> webserver/Linux box is good practice and a great learning experience....;) I
> would add a second NIC to the Linux/webserver box:
> 
> Internet---->(nic1)Linux/webserver/router(nic2)---->(nic1)Proxy(nic2)---->(i
> nternal network with all machines on it)
> 
> Option 3
> Use the Linux/webserver as a router again (2 NICs) but put it between the
> proxy server and the internal network. This puts the stronger security
> device (proxy server, I think) as the front line of defense (some protection
> for the web server?). The proxy has not been hacked in over 5 years of
> operation, but I have never had a port open to my network before (e.g. I
> opened a port to allow people to visit my web server).
> 
> Internet---->(nic1)Proxy(nic2)---->(nic1)Linux/webserver/router(nic2)---->(i
> nternal network with all machines on it)
> 
> I am sure there are many other permutations - if there is a better one,
> please let me know!
> 
> Thanks!
> 
> Mark Phillips
> 
> P.S. DO I need 2 NICs in the Linux box to act as a router? Is one
> sufficient?
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss