I have 2 applications servers and one DC/SQL server at a colocation facility that server as a public web server cluster. I am using a Watchguard Firebox X 1000 currently and a VLAN segmented Cisco Catalyst
2950 router. I am looking to redo my network setup to make it safer, given that ive learned a bit more about network security since I first set this up.Any one out there feel like reading this and posting your suggestions, as little or much as you want, id appreciate it!
My current setup is this:
Firewall (Firebox X 1000) | Switch (Cicso Catalyst 2950) | | DMZ TRUSTED
Now all 3 machines are Dual-homed Windows 2k3 machines. (Ive been told that dual-nic windows machines have issues with sending out secure data over dmz interface and vice versa and thats one of the reasons I want to abandon this setup)
Each machine has a DMZ and a Trusted NIC and as mentioned before, im using VLANs to segment the network. The DB Server has its DMZ interface disabled so its essentially only on the Trusted VLAN. (I was also told that VLANs only give you a false sense of security, not actual security, ugh).
I have the 3 servers setup as a windows Domain (name: mydomainname.mycompanyname.org). The SQL server acts also as the DNS server for internal lookups. The SQL server is also the Time server. The 2 application servers are public web servers. I have setup the Domain to use my Trusted LAN. All SQL requests, DNS requests and Time server requests also travel over the Trusted VLAN. Im a DNS/DC noob so im sure I messed up the domain setup etc. Everything works....for now.
So thats about it as far as my current configuration. Here's what I was thinking for a new setup:
- Ditch the VLANs and segment the network at the physical layer. Make all three machines Single NIC machines. The 2 application servers would connect ONLY to the DMZ, and the SQL server would connect ONLY to the Trusted.
- If I do (1), then I will need to open up holes to my Trusted network to allow the DMZ machines to perform SQL queries. ALSO, Since the SQL server is also the DC/DNS/Time server, they will need to access those ports/protocols as well. So now im thinking i have so many holes open, why bother with the Trusted LAN at all? Just put the SQL server in the DMZ since it would already be vulnerable
- So then I started thinking, I wouldn't have to open many holes to Trusted at all if I could DITCH the DNS/DC/Time server roles of my SQL server. This begs the question, do I need a domain for this setup? Can/Should I just setup 3 independent machines that don't share a domain? Im only using DNS to allow me to setup a domain. Im using my ISPs DNS servers for public domain lookups anyhow. Any experts that can help with this one?
In this sense, I would have 2 app servers in the dmz and one sql server in the trusted. Each machine would be seperate, domain-wise. And the only DMZ --> Trusted hole would be SQL server access limited by IP and port, and a port for sending over sensitive log data to the SQL server. These "holes" would be handled by firewall rules.
- If I decide to ditch the domain, will I need to reinstall Win2k3 to change my Domain configuration? Can I do this without any OS re-installations?
- Lastly, Do I have to change around my firewall configuration? Its currently setup in "routed mode", using NAT. But I have a whole block of 16 routable IPs from my ISP so I was thinking of switching the setup to "Drop In" mode and stop using NAT for the 2 application servers. That way, I make better use of my IP block and I don't have to worry about NAT issues. But I would still use NAT for the Trusted LAN/ SQL Server so its not exposed.
So what do you all think? I would love some help/feedback with this idea. I am also looking for someone to help me over the next few weeks as I try to implement this with a production environment. Looking for a guru, will pay of course. Thanks in advance for reading this far and/or responding with your opinions, suggestions and vast security knowledge.
Will