Designing a secure network
 

Hey Guys,

so i am trying to design a secure network with a reasonable level of intrusion prevention. the specs would be a primary and sec web server, a mail server, a honeypot, an oracle db server, an appl server, a Hogwash, an NIPS sensor and about 3 HIPS sensors.

any suggestions.

Sounds like you have it mapped out. Any specific questions?

Response
 

Well i am not sure were the NIPS and HIPS sensors should be placed. i am also not too familiar with the honeypot and hogwash. I was hoping for outline and sample drawings

If you google "nips hips sensors" you get a bunch of hard core references on the first page of hits.

You haven't provided enough information here for anyone to give you any kind of network configuration, outline or drawings. Anyway, I'm taking off on vacation, so someone else will have to pick this up if you decide to provide more detailed information with specific questions.

I not sure you can follow my way or not but i consider i doing advance
network intranet design involved with dedicated firewall using ipcop in datacenter this is the design layout example


5 public ip given by IDC and with private ip 192.168.68.65/28
create my own way

private ip calculation as following

1) install dedicated firewall with
- public ip = 202.100.188.200 eth0 -> switch
- private ip = 192.168.68.65 eth1 -> switch
- dhcp = off

1.1) win2k server 1
- ip = 192.168.68.66 = openport for rdesktop in firewall 3366
1.2) win2k server 2
- ip = 192.168.68.67 = openport for rdesktop in firewall 3367

2) Install linux with apache
- public ip = 202.100.188.201 eth0 -> switch
- Private ip = 192.168.68.68 eth1 -> switch
- Apache rewrite code domain1 point to win2k server 1
- Apache rewrite code domain2 point to win2k server 2

3) Linux Mail Server

- Private ip = 192.168.68.69
- open all required port for mail server from firewall
- all mx record point to firewall public IP

follow this way u can have many server in IDC
work with xen also , i have setup many xen guest with intra ip
can be access from outside via firewall and domain with apache rewrite code

I also setup dns server with xen for ns1 and ns2 , u can use public ip or
private ip but must open port accordingly

hope u can get clue with this

FYI i mixed public ip and private ip in the same switch

Response to router
 

Thank you so much for this. its going to help me a lot.

Do you know anything about honeynets and hogwash's? were would you place them in a network/

i sure hogwash need to implement inside firewall box,
for dedicated firewall i suggest you use untangle its equal to sonicwall
and its free, i got to know it last time because the adds in this LQ



but honeynet honeypot are you going to use for forensic analysis?

i dont know about other ppl but for me, i will never put this honey on my
network, its like you calling flies to get the honey you provided but you ready to blow them with fumakila made in japan :)

Response to router
 

lol. you are funny.

Well yes, we re to design a network with an intrusion prevention system and the honeypot would be for forensic analysis. You have been really helpful so far. One more question.

Any suggestions on how you would protect each of your servers?

thanks

Protection considerations:

1. ownerships/permissions
2. SELinux if available (RH based for example)
3. /etc/hosts.allow, /etc/hosts.deny
4. firewall ie iptables
5. disable remote login by root for ssh
6. disable text logins entirely eg telnet, ftp, rsh, rexec, remsh etc
http://www.informit.com/articles/art...p=169465&rll=1
7. see Security forum here at LQ, but chkrootkit, rkhunter, samhain, aide etc

consider what is told by chrism01

i add 3 following

1) keep your system update
2) change your ssh / ftp port if posible
- because this is main target from kid scripts

3) for more advance i depend on apache rewrite code
forward domain to another lan server and its not so
dificult to do


as live example try scan http://hrms.ajv.com.my/

i dont mind to show up my own life server

this proved how does the things work

ps.. sorry my english :)