Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secure network design

Status
Not open for further replies.
jrothwell88

jrothwell88

MIS
Jan 2, 2013
2
US
I have a 3-legged router/firewall setup with a DMZ subnet, a private subnet, and the WAN. On the private subnet, I have two file servers, a DNS/DHCP/Print server, and a DC. In the DMZ, I have a web server and a DNS server. I do not allow any traffic from the DMZ to the internal network and only allow DNS and HTTP traffic form the internet to the DMZ. What is the most secure way to add an email (exchange) server and VPN server into the network. I don't want to allow any traffic directly form the internet to the internal network and I don't want to allow any traffic from the DMZ to the internal network. How do most corporate environments with a focus on security have this setup?

Thanks
 
Sort by date Sort by votes
Welcome to tek-tips.

It sounds like you have a pretty good setup and the right idea, putting you way ahead of most.

As far as an email server goes, I would add this to your DMZ zone. A couple of things to keep in mind about email systems. One, they are VERY dependent upon DNS. Two, they are by definition very public and anti-spam measures rely on techniques to confirm that the originating server really is who it says it is. Your network users should be able to access your email server via the public/internet interface.

With regards to VPN, when you say have a VPN server, are you planning on using a software based VPN like openvpn or something directly implemented in your firewall? Most firewalls support IPSEC and/or SSL VPNs, making having a dedicated VPN server unnecessary. With VPN, the important part will be getting a proper (virtual) IP address to the client and implementing proper routing and rules for resource access. If you are considering SSH access into any servers, a very secure way would be to keep the SSH ports private and require the clients to first use VPN and then create an SSH tunnel through the VPN.

As with all things security, it is best applied in layers. Keep things compartmentalized, use the concept of least privilege, and most importantly regularly audit and monitor your logs and system status.
 
Upvote 0 Downvote
Thanks for replying.

The email server is MS Exchange. This needs Active Directory access and needs to be domain-joined. Without punching holes from the DMZ into the internal network, how would I go about putting this in the DMZ? Should I create an additional perimeter network and place an Exchange Edge server or "front-end Exchange server" in the perimeter network and punch holes from that network into the internal network? This goes along with the defence-in-depth concept but if that Exchange server is compromised, then they now have a way into the internal network.

For the VPN, I need to use a deticated server. I can assign authenticated clients a pool of IP addresses and only allow those IPs into the internal network but wouldn't an attacker be able to spoof one of those IP addresses and gain access?

Thank You,
Jason
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
210
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
220
acabezas2014
acabezas2014
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
151
texwiz
texwiz
alex1002
  • Locked
  • Question
Sonicwall SSLVPN very slow Throughput accessing network files
Replies
1
Views
217
alex1002
alex1002
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
142
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top