Is this a wise configuration?

First, I apologize if this is slightly OT for this NG, but I was unable
to find a more general "networking" NG on my nntp server. If it's any
consolation, all of my computers run GNU/Linux...

Here is my situation:
A have a single DSL connection to the internet at my house. This
connection goes through a router, supplied by the ISP. Behind this
router is my LAN. I enjoy setting up various different servers (web,
news, irc, bbs, etc.), and would like to be able to access them from the
internet. With this many "test" servers running, however, there are many
potential security threats. I would like to create a separate "zone" on
my network, autonomous from the private LAN, to place these servers in
in order to minimize the security risk to the rest of the LAN. (If one
of the servers becomes compromised, the damage is isolated to the
"server zone", thereby preventing further attacks to the private LAN). I
would like the private LAN to be invisible to the "server zone", but
still have access to the internet through the DSL router.

Here is my plan:
Configure the DSL router to foward the ports needed for the various
servers to a single computer. This computer acts as a firewall between
the two network zones. The firewall examines the destination port on
incoming packets, and based on that, DNAT's the address to the
appropriate physical server. (For example, redirect all packets destined
to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).

Also, in order to facilitate the "zone separation", this firewall will
drop all packets coming from the "server zone", destined to the private
LAN, and vice versa.

I will also configure the firewall to SNAT all packets coming from the
"server zone", destined to the internet, with the private LAN IP address
of the firewall.

Hopefully, this will behave as expected.

As a "networking neophyte", I would like to ask if this is a smart way
to do this. Is there an easier, or more efficient alternative? Any other
comments?

Thanks!
-None

None <(E-Mail Removed)> writes:

>First, I apologize if this is slightly OT for this NG, but I was unable
>to find a more general "networking" NG on my nntp server. If it's any
>consolation, all of my computers run GNU/Linux...

>Here is my situation:
>A have a single DSL connection to the internet at my house. This
>connection goes through a router, supplied by the ISP. Behind this
>router is my LAN. I enjoy setting up various different servers (web,
>news, irc, bbs, etc.), and would like to be able to access them from the
>internet. With this many "test" servers running, however, there are many
>potential security threats. I would like to create a separate "zone" on
>my network, autonomous from the private LAN, to place these servers in
>in order to minimize the security risk to the rest of the LAN. (If one
>of the servers becomes compromised, the damage is isolated to the
>"server zone", thereby preventing further attacks to the private LAN). I
>would like the private LAN to be invisible to the "server zone", but
>still have access to the internet through the DSL router.

It would depend on your router.
HOwever, you have the router forward all 10.0.x.x addresses to the net, put
your server subnet in 10.0.1.x and your other machines, with firewalls
exclucing all 10.0.1.x machines from everything on 10.0.0.x


>Here is my plan:
>Configure the DSL router to foward the ports needed for the various
>servers to a single computer. This computer acts as a firewall between
>the two network zones. The firewall examines the destination port on

It would need two network cards. It would also be a sinble point of
failure. Ie, if they break it, they break everything.


>incoming packets, and based on that, DNAT's the address to the
>appropriate physical server. (For example, redirect all packets destined
>to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).

>Also, in order to facilitate the "zone separation", this firewall will
>drop all packets coming from the "server zone", destined to the private
>LAN, and vice versa.

>I will also configure the firewall to SNAT all packets coming from the
>"server zone", destined to the internet, with the private LAN IP address
>of the firewall.

What kind of address does your IPS deliver Is it a routable or a
non-routable address (OK, public or private). You do not want to be doing
double NAT -- once at your end and once at your ISP.



>Hopefully, this will behave as expected.

>As a "networking neophyte", I would like to ask if this is a smart way
>to do this. Is there an easier, or more efficient alternative? Any other
>comments?

>Thanks!
>-None

None wrote:

> Here is my plan:
> Configure the DSL router to foward the ports needed for the various
> servers to a single computer. This computer acts as a firewall between
> the two network zones. The firewall examines the destination port on
> incoming packets, and based on that, DNAT's the address to the
> appropriate physical server. (For example, redirect all packets destined
> to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).
>
> Also, in order to facilitate the "zone separation", this firewall will
> drop all packets coming from the "server zone", destined to the private
> LAN, and vice versa.
>
> I will also configure the firewall to SNAT all packets coming from the
> "server zone", destined to the internet, with the private LAN IP address
> of the firewall.
>
> Hopefully, this will behave as expected.

What you're describing is basically a DMZ. Look that up in any
firewalling HOWTO.

You may also be able to set up your router as a bridge, and then set up
your own firewall behind that.

My DSL is set up so that my DSL modem has one IP, and then my firewall
has another routable IP on its external interface, but others may be
set up so that the modem doesn't have an IP address at all and simply
acts as a bridge... It all depends on the setup the ISP is using...

--Yan

On Fri, 28 Apr 2006 14:34:28 -0700, None <(E-Mail Removed)> wrote:

>Here is my situation:
>A have a single DSL connection to the internet at my house. This
>connection goes through a router, supplied by the ISP. Behind this
>router is my LAN. I enjoy setting up various different servers (web,
>news, irc, bbs, etc.), and would like to be able to access them from the
>internet. With this many "test" servers running, however, there are many
>potential security threats. I would like to create a separate "zone" on
>my network, autonomous from the private LAN,

Generally referred to as "DMZ" when you search for firewall info

>Here is my plan:
>Configure the DSL router to foward the ports needed for the various
>servers to a single computer. This computer acts as a firewall between
>the two network zones.

It may not work very well, while I don't run DMZ at the moment, I
have prepared for that like this:

network topology
`````````````````
---------------- ------------ LAN
( ) Phone | | Machines
( Big Bad Internet )--------| ADSL Modem |
( ) Line | | 100-Base-T
---------------- ------------ Switch -----
| -------| |
Public IP | X_WORLD | -----
| | -----
------------- | --| |
| ppp0/eth2 | --- | -----
| | | \ |-- -----
X_LOCAL2 <-----|eth1 eth0|-----|/ /|-----| |
192.168.2.0/24 | | | \ |-- -----
100-Base-T | Firewall | --- | -----
(spare localnet) ------------- | --| |
| -----
| -----
-------| |
X_LOCAL -----
192.168.1.0/24

Firewall box: <http://bugsplatter.mine.nu/test/boxen/deltree/>

> The firewall examines the destination port on
>incoming packets, and based on that, DNAT's the address to the
>appropriate physical server. (For example, redirect all packets destined
>to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).

Sure, but as someone else pointed out, you're doing a double NAT,
asking for trouble.

What I do is configure the ADSL modem to run in 'bridge' mode,
and run PPPoE on the firewall box --> I have complete control
over the link to Internet and what traffic hits localnet. (No
public access to localnet boxen, for example).

>Hopefully, this will behave as expected.

It's fun stuff to play with. Take care not to be an unwitting
proxy though.

>As a "networking neophyte", I would like to ask if this is a smart way
>to do this. Is there an easier, or more efficient alternative? Any other
>comments?

Couple years ago when I switched to ADSL I ran modem like you want
to, poking holes through the modem's firewall/NAT. As I climbed the
learning curve and gained confidence I switched modem to bridge mode
and not looked back.

See also: <http://bugsplatter.mine.nu/junkview/>

Grant.
--
Memory fault -- brain fried

On Fri, 28 Apr 2006 14:34:28 -0700, None wrote:

> Here is my situation:
> A have a single DSL connection to the internet at my house. This
> connection goes through a router, supplied by the ISP. Behind this
> router is my LAN. I enjoy setting up various different servers (web,
> news, irc, bbs, etc.), and would like to be able to access them from the
> internet. With this many "test" servers running, however, there are many
> potential security threats. I would like to create a separate "zone" on
> my network, autonomous from the private LAN, to place these servers in
> in order to minimize the security risk to the rest of the LAN. (If one
> of the servers becomes compromised, the damage is isolated to the
> "server zone", thereby preventing further attacks to the private LAN). I
> would like the private LAN to be invisible to the "server zone", but
> still have access to the internet through the DSL router.

This is a DMZ setup and it works nicely if setup properly and firewalled
correctly

> Here is my plan:
> Configure the DSL router to foward the ports needed for the various
> servers to a single computer. This computer acts as a firewall between
> the two network zones. The firewall examines the destination port on
> incoming packets, and based on that, DNAT's the address to the
> appropriate physical server. (For example, redirect all packets destined
> to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).

OK, not sure why everyone thinks they need to use 10.x.x.x for everything
but I would suggest that you use 192.168.x.x for your network. You are
never going to use all of those 10.x.x.x addresses, heck for that matter
you are never going to use all the 192.168.x.x addresses either at home.

Ipatbles will be able to handle this nicely. I do something like this
here at my home and it works wonderfully.

> Also, in order to facilitate the "zone separation", this firewall will
> drop all packets coming from the "server zone", destined to the private
> LAN, and vice versa.

Not a good idea. Dropping NEW packets from the 'server zone' would be
good but if you want to work on your 'server zone' from your 'private
zone' you shouldn't drop those packets. I would suggest allow what is
needed (ssh, ftp, web) and drop the rest. You will have to decide what
you want to allow through.

> I will also configure the firewall to SNAT all packets coming from the
> "server zone", destined to the internet, with the private LAN IP address
> of the firewall.

That you will need to do if you expect the answers to come back.

> Hopefully, this will behave as expected.

If configured properly then yes it will. I do something similar to this
here. I have 3 network setup. 1- My network with my machines and servers
for the other networks. 2- Families network were everyone else is on and
can surf the web as needed. 3- Sons PS2 network (so called DMZ). Man is
there a lot of traffic on that one.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----