My "Hopefully" fairly secure network...

Grim Reaper · 03-26-2003, 03:50 AM

I'm looking at making my network like so:

Code:

The Net
    |
    |
ADSL Modem
    |
    |
  eth0: IP DHCP Assigned by ISP
    |
    |
Firewall (OS: OpenBSD)--eth1: IP 10.0.0.1-------Web Server: IP: 10.0.0.2 (OS: Debian)
    |
    |
   eth2: IP: 192.162.0.1
    |
    |
Switch to workstations

now hopefully this turns out alright and you can understand it...lol.

Now, with these green, orange and red DMZ things you can setup with smoothwall and stuff, how could i do that with this...
I want it to do this: The webserver cannot talk to my internal LAN, it can only talk to my firewall, but the LAN can talk to the web server and view pages, etc...and i put it on a different IP range because it seems more secure, idk why, it just 'seems' to be more secure to me...hehe...

The way i designed it like this is: if my webserver (apache or whatever) gets compromised, it won't be able to view shares, ping, talk or anything to my internal LAN computers, only the firewall so the hacker would then need to try and compromise the firewall (have fun with OpenBSD biatches

) before they can even get near my LAN...

Now, is it all possible? How would i keep that webserver from talking to my lan, etc...

Thanks guys

EDIT: Btw, to move my hardware around to get max performance...

I have about 4 computers on the LAN needing net access and webserver access...I have an AMD K6-2 350 and a 686 PR233 (Is this a pentium 233???)....now, what would need the most CPU, the firewall or webserver? the webserver isn't going to be viewed all the time, only occasionally, whereas the firewall will be used all the time...

RAM isn't an issue, I'll just chuck whatever needs more in them (I'm thinking 128 in the webserver and 64 in the firewall...) as both machines can take SD-Ram...

Paul Johnson · 03-28-2003, 05:38 AM

I don't know Smoothwall, so I can't comment on how do do it in that.

> i put it on a different IP range because it seems more secure

It isn't more secure. I'd recommend using 10.* for everything, simply because its the biggest and easiest to remember. However having a specific IP range for the webserver will help because you will need the firewall machine to act as a router. So use 10.1.*.* for the webserver plus any other machines you want to put there in the future, and 10.2.*.* for the rest of the network.

>How would i keep that webserver from talking to my lan, etc...

It looks like you want the firewall to "trust" your web server about as much as it trusts the rest of the Internet (i.e. there is nothing that the webserver should be able to do that J Random Hacker out on the Internet can't). If so then you just need to set up the same rules along each "edge" Internal-Internet, Internal-Webserver, Webserver-Internet. Then add one exception to allow the webserver to accept updates from the internal network.

The web server has to be accessed from your internet address. You will have to set up your firewall to forward incoming TCP packets on port 80 to the firewall.

Paul.