Secure network design

[jrothwell88]

I have a 3-legged router/firewall setup with a DMZ subnet, a private subnet, and the WAN. On the private subnet, I have two file servers, a DNS/DHCP/Print server, and a DC. In the DMZ, I have a web server and a DNS server. I do not allow any traffic from the DMZ to the internal network and only allow DNS and HTTP traffic form the internet to the DMZ. What is the most secure way to add an email (exchange) server and VPN server into the network. I don't want to allow any traffic directly form the internet to the internal network and I don't want to allow any traffic from the DMZ to the internal network. How do most corporate environments with a focus on security have this setup?

Thanks

 

[Noway2]

Welcome to tek-tips.

It sounds like you have a pretty good setup and the right idea, putting you way ahead of most.

As far as an email server goes, I would add this to your DMZ zone. A couple of things to keep in mind about email systems. One, they are VERY dependent upon DNS. Two, they are by definition very public and anti-spam measures rely on techniques to confirm that the originating server really is who it says it is. Your network users should be able to access your email server via the public/internet interface.

With regards to VPN, when you say have a VPN server, are you planning on using a software based VPN like openvpn or something directly implemented in your firewall? Most firewalls support IPSEC and/or SSL VPNs, making having a dedicated VPN server unnecessary. With VPN, the important part will be getting a proper (virtual) IP address to the client and implementing proper routing and rules for resource access. If you are considering SSH access into any servers, a very secure way would be to keep the SSH ports private and require the clients to first use VPN and then create an SSH tunnel through the VPN.

As with all things security, it is best applied in layers. Keep things compartmentalized, use the concept of least privilege, and most importantly regularly audit and monitor your logs and system status.

 

[jrothwell88]

Thanks for replying.

The email server is MS Exchange. This needs Active Directory access and needs to be domain-joined. Without punching holes from the DMZ into the internal network, how would I go about putting this in the DMZ? Should I create an additional perimeter network and place an Exchange Edge server or "front-end Exchange server" in the perimeter network and punch holes from that network into the internal network? This goes along with the defence-in-depth concept but if that Exchange server is compromised, then they now have a way into the internal network.

For the VPN, I need to use a deticated server. I can assign authenticated clients a pool of IP addresses and only allow those IPs into the internal network but wouldn't an attacker be able to spoof one of those IP addresses and gain access?

Thank You,
Jason