Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-08-2006, 12:07 PM
|
#1
|
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Rep: 
|
Network Design
If for example you were to create a network that will be providing e-mail,web services and hosting a LAN with users what would be the correct design layout to maximize security?
Example;
Firewall------DMZ----------Web Server
|
|
|
Proxy
|
|
|
LAN
|
|
|
|
|
04-08-2006, 12:52 PM
|
#2
|
|
LQ Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
|
I myself don't like to interact with web services and lan systems so I built mine this way
Internet
|
eth0
router ( has 3 nics, 1 for wan internet, 1 for dmz servers, 1 for lan)
eth1 lan ---------- eth2 dmz
lan machines----------internet servers
I have gone as far to add a second router between eth1 and lan machines. I have setup wireless access on the second router that has many security features, Mac Filtering, WPA, and radius support. May be extreme but fun to build.
|
|
|
|
|
04-09-2006, 10:42 AM
|
#3
|
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
Brian1 isnt that exactly the same configuration as metallica1973 posted?!
|
|
|
|
|
04-09-2006, 11:46 AM
|
#4
|
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
Quote:
|
Brian1 isnt that exactly the same configuration as metallica1973 posted?!
|
I have to agree with PK21. I was always taught to put web servers and public services in a DMZ.
Would this be more appropiate and secure?
Firewall/IDS------DMZ----------Web Server
|
|
|
Proxy/Firewall/IDS
|
|
|
LAN
or
Firewall/IDS------DMZ----------Web Server
|
|
|
Proxy/IDS
|
|
|
Firewall/IDS
|
|
|
LAN
Last edited by metallica1973; 04-09-2006 at 11:47 AM.
|
|
|
|
|
04-09-2006, 05:12 PM
|
#5
|
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
I think i would go with the first one. But if you have switches which support mirroring of ports then I would go for the following.
|
[switch] ----mirror port to--------------
| |
Firewall------DMZ----------Web Server |
| | |
| | |
[switch] ----mirror port to---------------> IDS
|
Proxy/Firewall
|
|
LAN
Maybe you can mirror switch ports to tap traffic on multiple switches on your network and connect them with an IDS system like snort. With a setup like this traffic will be copied to your IDS and the IDS system doesnt need to send any traffic, it will only recieve traffic and is for this reason more secure then a system that will be reachable from your network.
|
|
|
|
|
04-09-2006, 05:14 PM
|
#6
|
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
Damn, my drawings outline didn't stay, lets try again :-) :
|
[switch] ----mirror port to--------------> IDS
|
Firewall------DMZ----------Web Server
|
|
[switch] ----mirror port to---------------> IDS
|
Proxy/Firewall
|
[switch] ----mirror port to---------------> IDS
|
LAN
And ofcourse you can also mirror the traffic which is generated on the DMZ
|
|
|
|
|
04-09-2006, 11:16 PM
|
#7
|
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
Interesting, I will have to read up on port mirroring. thanks
|
|
|
|
All times are GMT -5. The time now is 12:18 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
