Notes:
-
This is an "ideal" setup. You will have to budget your resources
and needs and try to get the best setup that you can. Of course,
the most secure setup is no network at all and your computers locked up
in a vault! :)
-
The routers could be routers with built-in firewalls (like a Cisco router
with the PIX option) or two machines; a router and a dedicated firewall
machine.
-
The DMZ (De-Militarized Zone) is a medium security network. Some
external (Internet) traffic is allowed to connect and initiate connections
to computers on the DMZ.
-
Servers in the DMZ should be stripped (deleted) of all unneeded services
(tftpd, talkd, linuxconf, finger, rsh, rlogin, compilers, header files,
maybe NFS, maybe Sendmail, maybe Apache, maybe named, etc).
-
Hacker detection: Get checksums of all of the critical files on
all of the servers in the DMZ! And save the checksums on removeable
media (like a floppy or Zip disk). A program called Tripwire
can do this for you.
-
The Border Router/Firewall will have a loose configuration in that it
allows some external (Internet) traffic (web, mail, DNS, etc) to initiate
connections. The Internal Router/Firewall should have a tight configuration
and NOT allow any traffic to initiate connections from the Internet or
DMZ to the internal network. The best (but maybe not possible) setup
for the internal router/firewall is a one way "trapdoor" NAT (Network Address
Translation) setup, i.e. the inside can go anywhere, but nothing can get
in.
-
The primary and secondary DNS servers should not be at the same location
on the same network, however, this is pretty common.
This page, and all contents, are Copyright (C) 1992-2000
Robert Barnes
Copyright © 1993-2001 by Robert Barnes