[Cialug] Network Layout

cialug@cialug.org cialug@cialug.org
Tue, 04 Jan 2005 17:16:35 +0000 

I'm sure some would say I'm risking attack, but my Linux box (RH 7.2) runs
ipchains as the firewall, and it runs sendmail, dns, sshd, httpd, X, squid, and
VNC.  I use ipchains to restrict certain services to certain IP addresses.  For
example, sshd is only accessible from the LAN and from my work's IP address. 
That way I can ssh in to check on things.  X and VNC are only allowed from the
LAN, or can be tunnelled through ssh.  Both squid and httpd run on a
non-standard port, requiring people accessing them to know what port to connect
to.  Of course, sniffers could find the open ports, but they'd also have to know
what was running on the ports before they could actually use them, which would
mean they would have to do more than a simple sniff.  Squid uses acls, so only
those in the acl will be allowed.  I also log a lot of port access attempts, so
then I know if I need to lock things down further.  It's amazing how many people
try to use my box as a proxy server (anonymizer).

--
Tim W.
> I'm trying to restructure my home network and have a few criteria, an 
> idea how it should look and a bunch of questions.
> 
> Criteria:
> ==========
> - Foreign access to the inside LAN has to be blocked since the computers 
> there are less secure and files are shared openly.  No 
> internal-to-internal traffic should leave the inside LAN (aka outsiders 
> can't sniff it).  Anybody plugging in a computer at the inside LAN is 
> trusted.
> - WAN is untrusted and will need VPN to access inside LAN.  Visitors 
> should be able to use the internet without VPN to inside LAN once I 
> authorize them.  A web portal where username and passwords are entered 
> would be cool.
> - Outside LAN has the same criteria as WAN (yes, the ethernet jacks are 
> outside of the building)
> - Server for web, e-mail and DNS should be accessible from the internet, 
> inside LAN, outside LAN, and WAN using the same domain name.
> - Only one public IP should be used.  Inside LAN, outside, LAN and WAN 
> should use DHCP, NAT and private IPs. The server should use a static 
> private IP via NAT.
> - OpenBSD is the operating system for the firewall and server.
> 
> Network Layout (proposal):
> ==========================
> Best is to look at a picture of it at:
>   http://www.public.iastate.edu/~cniesen/future-network.jpg
> 
> The Network is connected to the internet via DSL using a bridged DSL 
> modem.  The first thing after the modem is a firewall with 4 ports 
> (internet, server [web, email, dns], inside LAN, and WAN/outside LAN).
> The WAN and outside LAN are supported via the Linksys WRT56GS wireless 
> router that has 4 ethernet ports.
> 
> Questions:
> ==========
> - For the VPN to the inside network does the VPN server have to be a 
> server inside of the "inside network" or can the firewall do it?
> - Should the DHCP be done by the server [web, email, dns] or the 
> firewall?  Should the WAN access point run its own DHCP server for the 
> WAN clients?
> - Can the server [web, email, dns] provide DNS service to all network 
> sections? It will run OpenBSD 3.6 with its version of bind 9.
> 
> Thanks
>    Claus
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug