How to securely connect an Intranet-Samba-PDC with a LAMP in the DMZ?!

Discussion in 'Linux Networking' started by Tom, Oct 16, 2007.

  1. Tom

    Tom Guest

    Hello group!

    I am administering a small network which has 3 zones: Internet, DMZ and
    Intranet, quite similar to what it looks like here:
    http://de.wikipedia.org/wiki/Bild:Endian_Network_Topology.jpg
    With other words: I have the RED (=insecure), ORANGE (partly secure) and
    GREEN (highly secure) zone, all combined by a Firewall/Gateway linux box.

    In the ORANGE zone (DMZ) I am running a LAMP server which serves data
    towards the public internet (Webserver and FTP server)
    In the GREEN zone (intranet) I am running a Samba-Server as fileserver and
    PDC for my intranet client machines.
    By default my firewall allows access from the green to the orange net, but
    not vice verca. However I can open "pinholes" so that partial access is
    allowed from orange to green (but each pinhole is also a decrease of
    security)

    So far so good.

    Now what I want to do:

    I want to be sitting on one of my Windows clients in the green network and
    be able to transfer files from the orange LAMP server to the green
    File-Server and vice verca comfortably via network shares.

    For the moment I am using FTP to transfer the files between them, sitting
    infront of the linux boxes, which is not very comfortable.

    How should I make that in the best way, so it remains top secure?

    - Do I have to install a Samba-Server on orange? (which I find insecure)
    - Do I have to grant the orange server access to green server by giving him
    a pinhole on the firewall? (which I again find insecure)
    - Do I have to connect them via NIS?
    - Can I somehow mount a folder between green and orange?
    - Do I need to install an FTP-server on both and then use FXP (which again I
    don't like because I don't want to install an FTP on green for securtity
    reasons)

    What would you do in my case?
    Any advices are welcome!! :)

    Thank you
    tomakos
     
    Tom, Oct 16, 2007
    #1
    1. Advertisements

  2. You need to organise your file transfers so that they are always
    initiated from the GREEN zone. So you want the simplest possible server
    running on your LAMP server that allows part of its filesystem to appear
    on your GREEN server.

    Why not just run an NFS server on your LAMP server with restrictions in
    your /etc/exports file that only allow your GREEN server to see the part
    of the filesystem that you export?

    Robert
     
    Robert Harris, Oct 16, 2007
    #2
    1. Advertisements

  3. Tom

    Tom Guest

    Hello Robert!

    Thank you for your quick help!
    Yes, and I would be ok with that, since I never want to initiate transfers
    from orange to green, but only from green.
    Could you give me some details, since I don't know much more about NFS than
    what it is.
    If I would set up NFS on orange-server
    - Do I have to do the same on the green server? Or are there NFS servers and
    clients? Or how is it done?
    - How can I forbid NFS transactions initiated by orange? Or would it be
    enough, that the firewall blocks traffic from orange to green?
    - Ok let's say I have manage to link the orange and green server via NFS.
    What do I have to do next, so that I can see the orange folder in my network
    environment on the green clients? Do I have to mount something from orange
    to green server? Or how is it done?

    Thanks for any further piece of information!

    Ciao
    tomakos
     
    Tom, Oct 16, 2007
    #3
  4. There are NFS servers and clients. On the orange server you need to
    install a package with a name like nfs-server and edit the file:
    /etc/exports so that it contains a line like:

    /my/exported/directory *.local

    but you may well want to map user ids between the systems.

    "man exports" will tell you the whole story.

    On the green machine you need to install a package like nfs-common (that
    is the name on my Debian system) and mount the directory from the NFS
    server with a command like:

    mount -t nfs 192.168.1.2:/my/exported/directory /mnt/mountpoint

    Again, "man mount" and "man nfs" will tell you the whole story and when
    it works you can put a line in /etc/fstab so that the mount is automatic
    at bootup time.

    <http://nfs.sourceforge.net/nfs-howto/> is an excellent HOWTO document.

    RObert
     
    Robert Harris, Oct 16, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.