[ale] slightly OT: network structure

Greg runman at telocity.com
Wed Feb 13 21:04:04 EST 2002 

There was something on the OpenBSD list recently about limiting bandwidth,
but I have don't have it in my archives, but a search of the OpenBSD list
archive would reveal it.  A consulting company has a complete archive of all
posts.  Sorry about not being more helpful.

Greg Canter

> -----Original Message-----
> From: jenn at colormaria.com [mailto:jenn at colormaria.com]
> Sent: Wednesday, February 13, 2002 8:17 PM
> To: jkinney at localnetsolutions.com
> Cc: ale at ale.org
> Subject: Re: [ale] slightly OT: network structure
>
>
> The Nimda/code-red/worm stuff is what I'm most afraid of...
> Said bozo won't have any physical access to the cabinet, at least, and he
> will be subject to frequent scans by nmap and nessus to make sure he's not
> got any nasty ports open. As far as I know, this box will be
> running web and
> mail services, so we've got many potential victims right there...IIS,
> ColdFusion scripts, Ipswitch Imail...yee haw.  And because of no physical
> access...that means some sort of remote management through who-knows-what
> sort of tool.
>
> I have a single connection to the co-lo network (hence, the
> outside world),
> and we don't have the budget to get anything more than that, so he has to
> live behind my router somehow.
>
> This is where I get confused however, being only somewhat
> knowledgable about
> linux routing and not at all about using "real" managed switching
> appliances
> and how they work.  I can and will block his IP on all of my DMZ
> boxen, but
> that doesn't solve the potential bandwidth problem.  I know I can't do
> anything to limit his bandwidth behind the linux router, because it plugs
> into a cheap unmanaged switch that can't limit traffic on single
> port.  Can
> a Cisco (or other brand) do this? Would that be enough to protect
> me?  What
> about another NIC in the linux router devoted entirely to him? Would that
> accomplish the same thing?  Is that even possible?
>
> Sorry for the denseness. Network management continues to baffle
> me..the more
> I learn about it, the less I know. :(
>
> Thanks again,
>
> jenn
>
> > If I were in your position I would insist that the box either be under
> > my control or not in my cabinet.The last thing you want is some bozo
> > MSCE to grab the wrong keyboard and use the 3-finger salute to log into
> > the w2k box! It will happen.
> >
> > If you must put it in, have separate net connection for the w2k box
> > that has no connection at all (different provider is preferable) to
> > your other cabinet boxen. Add the w2k IP address to all your routers
> > and firewalls to block all access from the w2k box on every port for
> > every service. Nimba and code-red eat up enough bandwidth with out
> > sharing a router.
> >
> > On Wed, 2002-02-13 at 17:05, jenn at colormaria.com wrote:
> >> I've been asked to put a Win2000 box that I will not manage in my
> >> cabinet at our co-lo facility.  I'm considering putting this box in my
> >> DMZ with my email and DNS servers and I'm wondering if anyone who has
> >> managed a mixed-environment network could help me ensure that, should
> >> this machine run amok, it won't hurt my other boxen?
> >>
> >> I have a linux box acting as a gateway between the co-lo network and
> >> my DMZ. The DMZ servers all run iptables firewalls, have unnecessary
> >> services turned off, and are as securely set up as I can make them.
> >> In the DMZ is a firewall/NAT machine that protects some other servers.
> >>  Is this enough to protect my DMZ machines should the windows box get
> >> compromised in some way?  Should I put it on my private network and
> >> run NAT for its services?   I've considered also replacing the initial
> >> linux gateway with a cisco or other brand managed switch, and
> >> attempting some sort of vlan, but I'm  not convinced this would make
> >> things better...and be a learning curve to boot.
> >>
> >> What do you folks do in a situation like this?  The admin for this
> >> machine has already agreed to follow the NSA guidelines for locking
> >> down a windows machine, and anything else I can find for him.  All
> >> help is, as always, appreciated.
> >>
> >> TIA
> >> jenn
> >>
> >>
> >> ---
> >> This message has been sent through the ALE general discussion list.
> >> See http://www.ale.org/mailing-lists.shtml for more info. Problems
> >> should be  sent to listmaster at ale dot org.
> > --
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
>
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list