Security Basics mailing list archives
Re: Access Internal and External Networks
From: JGrimshaw () ASAP com
Date: Fri, 19 Sep 2003 10:53:43 -0500
For a less headachy set up, I would suggest number 2. Multihoming for the purposes you describe really is not a good idea, and could lead to additional problems. Where I am at now, it was done that way (and is in the process of being changed) and the DNS entry has the external nic, which then is filtered through the firewall, so anyone that tries to ping or manage something by name automatically goes to DNS and it fails, because the firewall is doing its job. Even though the other IP address is in WINS, nothing uses WINS by default (yes, it's an NT shop, but everyone keep in mind I am a Router/WAN guy wearing a variety of hats). I've found it to work best when one NIC is used (unless teaming or fault tolerance is involved, which is a different discussion) and using NAT to translate to a static external address for you, perhaps hosted on a device such as a BIG IP for load balancing the requests. When attackers try to penetrate, they then have to go through the router, the firewall, and the big IP (or some other balancer or other devices you may have in line) before finally getting onto your network. Granted, the Big IP doesn't provide much in the way of protection, but it does allow for the assignment of virtual IP addresses to the server that could be assigned via a static nat translation on a firewall, which could then be permitted through the firewall, via ports such as 80 and 443 if that's what those servers are hosting. This is assuming, of course, your external connection is for the purposes of hosting something. If you are just going to connect to the internet for other reasons, I would still suggest using the NAT scenario. If anyone can offer a better idea, I am all ears, as I am trying to reduce the multi-homing in my environment as much as I can. <william () orlitech com au> 09/18/2003 05:42 PM To security-basics () securityfocus com cc Subject Access Internal and External Networks I have a need for some servers to access both the external network and the internal network and am wondering which approach would be best: 1. 2 NIC's in each server one connected to the external network and one connected to the internal network 2. 1 NIC in each server connected to the internal network and DNAT the required ports from the external address to the internal address Thanks William --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Access Internal and External Networks william (Sep 19)
- Re: Access Internal and External Networks JGrimshaw (Sep 19)
- Re: Access Internal and External Networks John Hollyoak (Sep 19)
- RE: Access Internal and External Networks David Gillett (Sep 19)
- Re: Access Internal and External Networks Ansgar -59cobalt- Wiechers (Sep 22)
- Re: Access Internal and External Networks alias (Sep 22)
- <Possible follow-ups>
- RE: Access Internal and External Networks Hagen, Eric (Sep 19)
- RE: Access Internal and External Networks Meidinger Chris (Sep 22)