[ale] slightly OT: network structure

jenn at colormaria.com jenn at colormaria.com
Wed Feb 13 20:16:53 EST 2002 

The Nimda/code-red/worm stuff is what I'm most afraid of...
Said bozo won't have any physical access to the cabinet, at least, and he
will be subject to frequent scans by nmap and nessus to make sure he's not
got any nasty ports open. As far as I know, this box will be running web and
mail services, so we've got many potential victims right there...IIS,
ColdFusion scripts, Ipswitch Imail...yee haw.  And because of no physical
access...that means some sort of remote management through who-knows-what
sort of tool.

I have a single connection to the co-lo network (hence, the outside world),
and we don't have the budget to get anything more than that, so he has to
live behind my router somehow.  

This is where I get confused however, being only somewhat knowledgable about
linux routing and not at all about using "real" managed switching appliances
and how they work.  I can and will block his IP on all of my DMZ boxen, but
that doesn't solve the potential bandwidth problem.  I know I can't do
anything to limit his bandwidth behind the linux router, because it plugs
into a cheap unmanaged switch that can't limit traffic on single port.  Can
a Cisco (or other brand) do this? Would that be enough to protect me?  What
about another NIC in the linux router devoted entirely to him? Would that
accomplish the same thing?  Is that even possible?

Sorry for the denseness. Network management continues to baffle me..the more
I learn about it, the less I know. :(

Thanks again,

jenn

> If I were in your position I would insist that the box either be under
> my control or not in my cabinet.The last thing you want is some bozo
> MSCE to grab the wrong keyboard and use the 3-finger salute to log into
> the w2k box! It will happen.
> 
> If you must put it in, have separate net connection for the w2k box
> that has no connection at all (different provider is preferable) to
> your other cabinet boxen. Add the w2k IP address to all your routers
> and firewalls to block all access from the w2k box on every port for
> every service. Nimba and code-red eat up enough bandwidth with out
> sharing a router.
> 
> On Wed, 2002-02-13 at 17:05, jenn at colormaria.com wrote:
>> I've been asked to put a Win2000 box that I will not manage in my
>> cabinet at our co-lo facility.  I'm considering putting this box in my
>> DMZ with my email and DNS servers and I'm wondering if anyone who has
>> managed a mixed-environment network could help me ensure that, should
>> this machine run amok, it won't hurt my other boxen?
>> 
>> I have a linux box acting as a gateway between the co-lo network and
>> my DMZ. The DMZ servers all run iptables firewalls, have unnecessary
>> services turned off, and are as securely set up as I can make them. 
>> In the DMZ is a firewall/NAT machine that protects some other servers.
>>  Is this enough to protect my DMZ machines should the windows box get
>> compromised in some way?  Should I put it on my private network and
>> run NAT for its services?   I've considered also replacing the initial
>> linux gateway with a cisco or other brand managed switch, and
>> attempting some sort of vlan, but I'm  not convinced this would make
>> things better...and be a learning curve to boot.
>> 
>> What do you folks do in a situation like this?  The admin for this
>> machine has already agreed to follow the NSA guidelines for locking
>> down a windows machine, and anything else I can find for him.  All
>> help is, as always, appreciated.
>> 
>> TIA
>> jenn
>> 
>> 
>> ---
>> This message has been sent through the ALE general discussion list.
>> See http://www.ale.org/mailing-lists.shtml for more info. Problems
>> should be  sent to listmaster at ale dot org.
> -- 
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list