Network topology suggestions for Win2k3 web server network

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Network topology suggestions for Win2k3 web server network

wfsmith

03-01-2005

Re: Network topology suggestions for Win2k3 web se...

Leythos

03-01-2005

Posted by on March 1, 2005, 9:58 am

If you were Registered and logged in, you could reply and use other advanced thread options

I have 2 applications servers and one DC/SQL server at a colocation
facility that server as a public web server cluster. I am using a
Watchguard Firebox X 1000 currently and a VLAN segmented Cisco Catalyst
2950 router. I am looking to redo my network setup to make it safer,
given that ive learned a bit more about network security since I first
set this up.

Any one out there feel like reading this and posting your suggestions,
as little or much as you want, id appreciate it!

My current setup is this:

Firewall (Firebox X 1000)
|
Switch (Cicso Catalyst 2950)
| |
DMZ TRUSTED

Now all 3 machines are Dual-homed Windows 2k3 machines. (Ive been told
that dual-nic windows machines have issues with sending out secure data
over dmz interface and vice versa and thats one of the reasons I want
to abandon this setup)

Each machine has a DMZ and a Trusted NIC and as mentioned before, im
using VLANs to segment the network. The DB Server has its DMZ
interface disabled so its essentially only on the Trusted VLAN. (I was
also told that VLANs only give you a false sense of security, not
actual security, ugh).

I have the 3 servers setup as a windows Domain (name:
mydomainname.mycompanyname.org). The SQL server acts also as the DNS
server for internal lookups. The SQL server is also the Time server.
The 2 application servers are public web servers. I have setup the
Domain to use my Trusted LAN. All SQL requests, DNS requests and Time
server requests also travel over the Trusted VLAN. Im a DNS/DC noob so
im sure I messed up the domain setup etc. Everything works....for now.

So thats about it as far as my current configuration. Here's what I
was thinking for a new setup:

1. Ditch the VLANs and segment the network at the physical layer.
Make all three machines Single NIC machines. The 2 application servers
would connect ONLY to the DMZ, and the SQL server would connect ONLY to
the Trusted.

2. If I do (1), then I will need to open up holes to my Trusted
network to allow the DMZ machines to perform SQL queries. ALSO, Since
the SQL server is also the DC/DNS/Time server, they will need to access
those ports/protocols as well. So now im thinking i have so many holes
open, why bother with the Trusted LAN at all? Just put the SQL server
in the DMZ since it would already be vulnerable

3. So then I started thinking, I wouldn't have to open many holes to
Trusted at all if I could DITCH the DNS/DC/Time server roles of my SQL
server. This begs the question, do I need a domain for this setup?
Can/Should I just setup 3 independent machines that don't share a
domain? Im only using DNS to allow me to setup a domain. Im using my
ISPs DNS servers for public domain lookups anyhow. Any experts that
can help with this one?

In this sense, I would have 2 app servers in the dmz and one sql server
in the trusted. Each machine would be seperate, domain-wise. And the
only DMZ --> Trusted hole would be SQL server access limited by IP and
port, and a port for sending over sensitive log data to the SQL server.
These "holes" would be handled by firewall rules.

4. If I decide to ditch the domain, will I need to reinstall Win2k3 to
change my Domain configuration? Can I do this without any OS
re-installations?

5. Lastly, Do I have to change around my firewall configuration? Its
currently setup in "routed mode", using NAT. But I have a whole block
of 16 routable IPs from my ISP so I was thinking of switching the setup
to "Drop In" mode and stop using NAT for the 2 application servers.
That way, I make better use of my IP block and I don't have to worry
about NAT issues. But I would still use NAT for the Trusted LAN/ SQL
Server so its not exposed.

So what do you all think? I would love some help/feedback with this
idea. I am also looking for someone to help me over the next few
weeks as I try to implement this with a production environment.
Looking for a guru, will pay of course. Thanks in advance for reading
this far and/or responding with your opinions, suggestions and vast
security knowledge.

Will

Posted by Leythos on March 1, 2005, 6:15 pm

If you were Registered and logged in, you could reply and use other advanced thread options

On Tue, 01 Mar 2005 09:58:02 -0800, wfsmith wrote:

> I have 2 applications servers and one DC/SQL server at a colocation

> facility that server as a public web server cluster. I am using a

> Watchguard Firebox X 1000 currently and a VLAN segmented Cisco Catalyst

> 2950 router. I am looking to redo my network setup to make it safer,

> given that ive learned a bit more about network security since I first

> set this up.

> Any one out there feel like reading this and posting your suggestions,

> as little or much as you want, id appreciate it!

> My current setup is this:

> Firewall (Firebox X 1000)

> |

> Switch (Cicso Catalyst 2950)

> | |

> DMZ TRUSTED

When we setup secure webservers and database servers as the back-end we do
it as follows:

INTERNET
|
Firebox 1000
|LAN | DMZ
| \ WEB 1
| WEB 2
\ SQL 1

You do not use domains/ad on the servers, you don't need it to run as a
web server and you certainly don't want to use Windows authentication
between the Web servers and the SQL server.

Yes, you need to open 1433 from DMZ to LAN for the web servers to access
the SQL server.

The web servers can get their DNS from the ISP's DNS server. You might
make a static host file entry if you want to use the SQL servers name
instead of IP.

The SQL Server, if it needs to contact the web servers from it's side will
need DNS installed, you can make the SQL server a DC, but don't make it in
the same domain as the web servers - this is a security risk. Set the SQL
server to use mixed mode - so that your web application passes a
user/password in order to connect. DO NOT USE THE SA ACCOUNT.

Now, if you want to manage everything remotely, you need to setup simple
PPTP VPN to the Firewall, then create an ANY rule that permits PPTP to
access both DMZ and LAN subnets.

You could create an ANY rule that lets the LAN reach the DMZ, but don't
open anything from DMZ to LAN except for 1433.

I would set the LAN to 192.168.10.0/24
I would set the DMZ to 192.168.11.0/24

> So what do you all think? I would love some help/feedback with this

> idea. I am also looking for someone to help me over the next few

> weeks as I try to implement this with a production environment.

> Looking for a guru, will pay of course. Thanks in advance for reading

> this far and/or responding with your opinions, suggestions and vast

> security knowledge.

If you end up with the LAN being your company network, you can have the
SQL server be part of the company Domain/AD, but DO NOT MAKE THE WEB
SERVERS PART OF IT - use your web application to authenticate with the web
server via SQL User accounts, not SA or Windows accounts.

We setup this config all over the US, you don't have to pay for help if
you keep it in Usenet or email, I like to give back for all that I
learned/learn on Usenet.

--
spam999free@rrohio.com
remove 999 in order to email me

Similar Threads	Posted
Mail server inside the network...Safe?	September 6, 2007, 11:10 am
Setting up linksys RV016 as PPTP server, cannot see network machines	October 21, 2007, 3:54 pm
Network Restructuring (Network Design and Equipment)	May 16, 2006, 9:35 am
Network browsing takes ages when one computer is declared as Internet zone on a 4-computer network	July 18, 2004, 1:42 pm
Unable to Set Topology on CP Object	August 10, 2004, 9:47 am
PIX VPN: can't see the whole network	September 5, 2005, 5:01 pm
RDP from outside network	July 13, 2006, 3:51 pm
Network	November 14, 2007, 12:11 am
network monitoring	July 26, 2004, 2:06 am
Network Everywhere Router	December 9, 2004, 9:00 am

The site map in XML format XML site map