How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!

Hello group!

I am administering a small network which has 3 zones: Internet, DMZ and
Intranet, quite similar to what it looks like here:
http://de.wikipedia.org/wiki/Bild:En...k_Topology.jpg
With other words: I have the RED (=insecure), ORANGE (partly secure) and
GREEN (highly secure) zone, all combined by a Firewall/Gateway linux box.

In the ORANGE zone (DMZ) I am running a LAMP server which serves data
towards the public internet (Webserver and FTP server)
In the GREEN zone (intranet) I am running a Samba-Server as fileserver and
PDC for my intranet client machines.
By default my firewall allows access from the green to the orange net, but
not vice verca. However I can open "pinholes" so that partial access is
allowed from orange to green (but each pinhole is also a decrease of
security)

So far so good.

Now what I want to do:

I want to be sitting on one of my Windows clients in the green network and
be able to transfer files from the orange LAMP server to the green
File-Server and vice verca comfortably via network shares.

For the moment I am using FTP to transfer the files between them, sitting
infront of the linux boxes, which is not very comfortable.

How should I make that in the best way, so it remains top secure?

- Do I have to install a Samba-Server on orange? (which I find insecure)
- Do I have to grant the orange server access to green server by giving him
a pinhole on the firewall? (which I again find insecure)
- Do I have to connect them via NIS?
- Can I somehow mount a folder between green and orange?
- Do I need to install an FTP-server on both and then use FXP (which again I
don't like because I don't want to install an FTP on green for securtity
reasons)

What would you do in my case?
Any advices are welcome!! :-)

Thank you
tomakos


--
Help keep the usenet free!
Use and/or support (e.g. by setting up an own server) the nonprofit
open-news-network project:
http://www.open-news-network.org/

Tom wrote:
> Hello group!
>
> I am administering a small network which has 3 zones: Internet, DMZ and
> Intranet, quite similar to what it looks like here:
> http://de.wikipedia.org/wiki/Bild:En...k_Topology.jpg
> With other words: I have the RED (=insecure), ORANGE (partly secure) and
> GREEN (highly secure) zone, all combined by a Firewall/Gateway linux box.
>
> In the ORANGE zone (DMZ) I am running a LAMP server which serves data
> towards the public internet (Webserver and FTP server)
> In the GREEN zone (intranet) I am running a Samba-Server as fileserver
> and PDC for my intranet client machines.
> By default my firewall allows access from the green to the orange net,
> but not vice verca. However I can open "pinholes" so that partial access
> is allowed from orange to green (but each pinhole is also a decrease of
> security)
>
> So far so good.
>
> Now what I want to do:
>
> I want to be sitting on one of my Windows clients in the green network
> and be able to transfer files from the orange LAMP server to the green
> File-Server and vice verca comfortably via network shares.
>
> For the moment I am using FTP to transfer the files between them,
> sitting infront of the linux boxes, which is not very comfortable.
>
> How should I make that in the best way, so it remains top secure?

You need to organise your file transfers so that they are always
initiated from the GREEN zone. So you want the simplest possible server
running on your LAMP server that allows part of its filesystem to appear
on your GREEN server.

Why not just run an NFS server on your LAMP server with restrictions in
your /etc/exports file that only allow your GREEN server to see the part
of the filesystem that you export?

Robert

>
> - Do I have to install a Samba-Server on orange? (which I find insecure)
> - Do I have to grant the orange server access to green server by giving
> him a pinhole on the firewall? (which I again find insecure)
> - Do I have to connect them via NIS?
> - Can I somehow mount a folder between green and orange?
> - Do I need to install an FTP-server on both and then use FXP (which
> again I don't like because I don't want to install an FTP on green for
> securtity reasons)
>
> What would you do in my case?
> Any advices are welcome!! :-)
>
> Thank you
> tomakos
>
>

Hello Robert!

Thank you for your quick help!

> You need to organise your file transfers so that they are always
> initiated from the GREEN zone.

Yes, and I would be ok with that, since I never want to initiate transfers
from orange to green, but only from green.

> So you want the simplest possible server
> running on your LAMP server that allows part of its filesystem to appear
> on your GREEN server.
>
> Why not just run an NFS server on your LAMP server with restrictions in
> your /etc/exports file that only allow your GREEN server to see the part
> of the filesystem that you export?

Could you give me some details, since I don't know much more about NFS than
what it is.
If I would set up NFS on orange-server
- Do I have to do the same on the green server? Or are there NFS servers and
clients? Or how is it done?
- How can I forbid NFS transactions initiated by orange? Or would it be
enough, that the firewall blocks traffic from orange to green?
- Ok let's say I have manage to link the orange and green server via NFS.
What do I have to do next, so that I can see the orange folder in my network
environment on the green clients? Do I have to mount something from orange
to green server? Or how is it done?

Thanks for any further piece of information!

Ciao
tomakos

Tom wrote:
> Hello Robert!
>
> Thank you for your quick help!
>
>> You need to organise your file transfers so that they are always
>> initiated from the GREEN zone.
>
> Yes, and I would be ok with that, since I never want to initiate
> transfers from orange to green, but only from green.
>
>> So you want the simplest possible server
>> running on your LAMP server that allows part of its filesystem to appear
>> on your GREEN server.
>>
>> Why not just run an NFS server on your LAMP server with restrictions in
>> your /etc/exports file that only allow your GREEN server to see the part
>> of the filesystem that you export?
>
> Could you give me some details, since I don't know much more about NFS
> than what it is.
> If I would set up NFS on orange-server
> - Do I have to do the same on the green server? Or are there NFS servers
> and clients? Or how is it done?

There are NFS servers and clients. On the orange server you need to
install a package with a name like nfs-server and edit the file:
/etc/exports so that it contains a line like:

/my/exported/directory *.local

but you may well want to map user ids between the systems.

"man exports" will tell you the whole story.

On the green machine you need to install a package like nfs-common (that
is the name on my Debian system) and mount the directory from the NFS
server with a command like:

mount -t nfs 192.168.1.2:/my/exported/directory /mnt/mountpoint

Again, "man mount" and "man nfs" will tell you the whole story and when
it works you can put a line in /etc/fstab so that the mount is automatic
at bootup time.

<http://nfs.sourceforge.net/nfs-howto/> is an excellent HOWTO document.

RObert

> - How can I forbid NFS transactions initiated by orange? Or would it be
> enough, that the firewall blocks traffic from orange to green?
> - Ok let's say I have manage to link the orange and green server via
> NFS. What do I have to do next, so that I can see the orange folder in
> my network environment on the green clients? Do I have to mount
> something from orange to green server? Or how is it done?
>
> Thanks for any further piece of information!
>
> Ciao
> tomakos