smart network architecture for SOHO?

M

m4rtin

is this fallowing network architecture smart for SOHO environment(rather small budget, but security is important):

net4.png


mail server and ftp/http servers are separated for security reasons. Any suggestions? Or some other improvements? :stud
 
What is your Internet source? XDSL, ISDN, Cable?

(and I'd probably use OpenBSD in place of FreeBSD in this situation where the machine's main function appears to be as a firewall, although it's really dependent on the answer to my question above.)
 
The first one is a lot better. Imagine what happens if your ftp/web server gets hacked. In the second your attacker will be on the LAN. On the first it'll be confined to the ftp/web server.

Of course you will need to make sure there's no traffic possible from the ftp/web server back into your LAN (firewall it).
 
trev said:
What is your Internet source? XDSL, ISDN, Cable?

(and I'd probably use OpenBSD in place of FreeBSD in this situation where the machine's main function appears to be as a firewall, although it's really dependent on the answer to my question above.)
Click to expand...

my internet source is ADSL. Using OpenBSD instead of FreeBSD is a good idea. I made some improvements(have one physical machine instead of two, but using jails the security level should remain equal):

net.png


Is this network architecture technically good? Is jails capable to achieve that?
 
SirDice said:
The first one is a lot better. Imagine what happens if your ftp/web server gets hacked. In the second your attacker will be on the LAN. On the first it'll be confined to the ftp/web server.
Click to expand...
that is why I used VLAN's on second architecture ;)
 
Don't use VLANs for security, it's not what they're meant for. They're to improve network performance nothing more.
 
If the ADSL modem is in fact a router (simple bridges are very rare these days), and it has a decent ICSA-compliant firewall (eg Siemens Speedstream 4200), then I'm not sure the OpenBSD machine achieves anything and could be reassigned as your missing second machine or dropped altogether.

You could run up firewalls on the other machines for defence in depth if you're really paranoid... I'm assuming you would only be forwarding SMTP, HTTP, FTP ports via the router. I believe it's much rarer to find an ADSL router compromised, than a machine with a complete operating system.

ADSL router -> Switch -> LAN machines
 
You definitely want to use a separate firewall box ... I've yet to see even a commercial-grade ADSL "modem" that included a usable packet filter implementation, including logging facilities. *BSD+PF/IPFW gives you a lot more control, audit capabilities, and troubleshooting tools.

Either the first layout (multiple interfaces on firewall, separate DMZ and LAN) or the third layout (firewall + jail system) are good. Don't use the second layout (using vlans on switch for security).
 
Hmm.. You've got me thinking.. I've got a Cisco 1841 ISR that works as my firewall using the IOS software and my setup is similar to drawing #3 above but change the ADSL modem to a cable modem and swap out the OpenBSD box with the above mentioned Cisco router. The big difference today is that the cisco router has only 2 ports -- one to the cable modem (Internet side) and one to my internal (SOHO) network... I'm thinking that if I got a plug-in card for the Cisco (HWIC card) to add a 2nd internal port, I could effectively do what drawing #3 is trying to do and keep the mail/web traffic segregated from the other pieces of our internal home network.. The hard part is getting the 2nd port (big $$) unless I find a scrap router to part out...Hmm..
 
In my opinion it doesn't matter if you use layout one or two. Of course if you have enough physical interfaces, then there is no reason not to use it. But we are talking about a SOHO setup here in days were companies in financial businesses use virtualisation wherever they can (public web-server, backend-DB and internal systems on the same ESX-box in the worst case, yes that's reality! *g*...). Maybe it depends on the type of vlan-switch you are going to use. Maybe the cheap ones today still misbehave when flooding the mac-table and fall into "hub-mode" regardless of any configured vlans, but I don't expect this anymore (anyone with practical experiences here? would be interesting!). What can happen if someone breaks your ftp server? He doesn't even know that he resides inside a vlan on the same switch as other (internal) vlans if the switch-configuration is done properly (no protocols enabled like VTP, CDP if it's a Cisco to avoid exposing such informations; switch should be managed out-of-band...blabla). We don't talk about a switch >>without<< vlan-separation (vlan-tagging on all servers only is not meant here from my understanding!), so no trunks expect for the firewall (and if the fw is compromised e.g. because of a vulnerable VPN-service the attacker can reach all your boxes). I also don't see multiple switches connected with trunks for vlan-double-encapsulation attacks, which might be abused (still today(?!) for unidirectional(!) packet injection. That's just my humble opinion. These security with vlan-separation related discussions often are from philosophic nature.

But I would avoid using a jail to separate (public) http/ftp-servers from other servers (like mail, or later a DB?!...) if you have important/personal content in the latter. Jails are great (and definitely better than having all services on one host-system) but not perfect at the moment and you have to configure and maintain(!) some things to make it secure (have seen too many jails without proper devfs-rules the last weeks). What do you think about using IDS/IPS like snort? I'm going to setup snort next time, I think this could be more interesting and helpful than talking about vlan-security, firewall and vpn only.

I believe it's much rarer to find an ADSL router compromised, than a machine with a complete operating system
Click to expand...

This might be true for a lousy administrated server. ;) Have no numbers here, but I would not trust a 50$ DSL-router where the vendor took an (today) outdated Linux kernel and provides almost no updates for (kernel) vulnerabilities...

cheers,
honk:beer
 
honk said:
But I would avoid using a jail to separate (public) http/ftp-servers from other servers (like mail, or later a DB?!...) if you have important/personal content in the latter. Jails are great (and definitely better than having all services on one host-system) but not perfect at the moment and you have to configure and maintain(!) some things to make it secure (have seen too many jails without proper devfs-rules the last weeks).
Click to expand...

Are these cases where the rules are unchanged from the defaults? Just curious.. I've got one jail running (for mail) but will be adding another 2-3 of them in the coming weeks.
 
You must log in or register to reply here.
Back
Top