1. Home
  2. Networking Firewalls
  3. Network topology suggestions for Win2k3 web server network

Network topology suggestions for Win2k3 web server network

I have 2 applications servers and one DC/SQL server at a colocation facility that server as a public web server cluster. I am using a Watchguard Firebox X 1000 currently and a VLAN segmented Cisco Catalyst

2950 router. I am looking to redo my network setup to make it safer, given that ive learned a bit more about network security since I first set this up.

Any one out there feel like reading this and posting your suggestions, as little or much as you want, id appreciate it!

My current setup is this:

Firewall (Firebox X 1000) | Switch (Cicso Catalyst 2950) | | DMZ TRUSTED

Now all 3 machines are Dual-homed Windows 2k3 machines. (Ive been told that dual-nic windows machines have issues with sending out secure data over dmz interface and vice versa and thats one of the reasons I want to abandon this setup)

Each machine has a DMZ and a Trusted NIC and as mentioned before, im using VLANs to segment the network. The DB Server has its DMZ interface disabled so its essentially only on the Trusted VLAN. (I was also told that VLANs only give you a false sense of security, not actual security, ugh).

I have the 3 servers setup as a windows Domain (name: mydomainname.mycompanyname.org). The SQL server acts also as the DNS server for internal lookups. The SQL server is also the Time server. The 2 application servers are public web servers. I have setup the Domain to use my Trusted LAN. All SQL requests, DNS requests and Time server requests also travel over the Trusted VLAN. Im a DNS/DC noob so im sure I messed up the domain setup etc. Everything works....for now.

So thats about it as far as my current configuration. Here's what I was thinking for a new setup:

  1. Ditch the VLANs and segment the network at the physical layer. Make all three machines Single NIC machines. The 2 application servers would connect ONLY to the DMZ, and the SQL server would connect ONLY to the Trusted.

  1. If I do (1), then I will need to open up holes to my Trusted network to allow the DMZ machines to perform SQL queries. ALSO, Since the SQL server is also the DC/DNS/Time server, they will need to access those ports/protocols as well. So now im thinking i have so many holes open, why bother with the Trusted LAN at all? Just put the SQL server in the DMZ since it would already be vulnerable

  2. So then I started thinking, I wouldn't have to open many holes to Trusted at all if I could DITCH the DNS/DC/Time server roles of my SQL server. This begs the question, do I need a domain for this setup? Can/Should I just setup 3 independent machines that don't share a domain? Im only using DNS to allow me to setup a domain. Im using my ISPs DNS servers for public domain lookups anyhow. Any experts that can help with this one?

In this sense, I would have 2 app servers in the dmz and one sql server in the trusted. Each machine would be seperate, domain-wise. And the only DMZ --> Trusted hole would be SQL server access limited by IP and port, and a port for sending over sensitive log data to the SQL server. These "holes" would be handled by firewall rules.

  1. If I decide to ditch the domain, will I need to reinstall Win2k3 to change my Domain configuration? Can I do this without any OS re-installations?

  1. Lastly, Do I have to change around my firewall configuration? Its currently setup in "routed mode", using NAT. But I have a whole block of 16 routable IPs from my ISP so I was thinking of switching the setup to "Drop In" mode and stop using NAT for the 2 application servers. That way, I make better use of my IP block and I don't have to worry about NAT issues. But I would still use NAT for the Trusted LAN/ SQL Server so its not exposed.

So what do you all think? I would love some help/feedback with this idea. I am also looking for someone to help me over the next few weeks as I try to implement this with a production environment. Looking for a guru, will pay of course. Thanks in advance for reading this far and/or responding with your opinions, suggestions and vast security knowledge.

Will

Reply to
wfsmith
Loading thread data ...

Nice. Exactly what I was thinking. This is very similar to the "drop-in mode" configuration listed in the Watchguard Firebox user guide.

Gotcha. The 2 app servers currently use windows auth to handle content replication and some content sharing. But we use SQL auth ONLY to handle all DB requests from Web server -> DB server. All our strings are encrypted as well so if our web servers are compromised, our SQL server is protected.

Why would my sql server need to "contact" the web servers? We only need the web servers to be able to establish a DB connection and get data from the DB. If this is our only need, can I ditch the DC/DNS role completely? The sql server will only be serving data to applications on both app servers

Ha. Im not THAT much of a noob! jk. Always good to reiterate though.

Exactly my thought. I can use the MUVPN functionality to allow different logins to grant different server rights. E.g. a sql vpn user can grant access to Trusted, whereas my general maintenance VPN user will only have rights to app servers in DMZ.

Right, from what ive read, ANY HOLE WHATSOEVER from DMZ --> Trusted needs to be justified and carefully thought out.

What about the idea that I only use NAT for the Trusted LAN? I have a block of 16 routable IPs that I can use. I could set up the 2 application servers to use public IPs, since they are in the DMZ anyhow. And only setup a non-routable subnet for the Trusted LAN. Any thoughts?

Rock on

Reply to
wfsmith

When we setup secure webservers and database servers as the back-end we do it as follows:

INTERNET | Firebox 1000 |LAN | DMZ | \\ WEB 1 | WEB 2 \\ SQL 1

You do not use domains/ad on the servers, you don't need it to run as a web server and you certainly don't want to use Windows authentication between the Web servers and the SQL server.

Yes, you need to open 1433 from DMZ to LAN for the web servers to access the SQL server.

The web servers can get their DNS from the ISP's DNS server. You might make a static host file entry if you want to use the SQL servers name instead of IP.

The SQL Server, if it needs to contact the web servers from it's side will need DNS installed, you can make the SQL server a DC, but don't make it in the same domain as the web servers - this is a security risk. Set the SQL server to use mixed mode - so that your web application passes a user/password in order to connect. DO NOT USE THE SA ACCOUNT.

Now, if you want to manage everything remotely, you need to setup simple PPTP VPN to the Firewall, then create an ANY rule that permits PPTP to access both DMZ and LAN subnets.

You could create an ANY rule that lets the LAN reach the DMZ, but don't open anything from DMZ to LAN except for 1433.

I would set the LAN to 192.168.10.0/24 I would set the DMZ to 192.168.11.0/24

If you end up with the LAN being your company network, you can have the SQL server be part of the company Domain/AD, but DO NOT MAKE THE WEB SERVERS PART OF IT - use your web application to authenticate with the web server via SQL User accounts, not SA or Windows accounts.

We setup this config all over the US, you don't have to pay for help if you keep it in Usenet or email, I like to give back for all that I learned/learn on Usenet.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.