network design for security and usability

[Godsrock37]

im designing a network and i need some advice. this forum is the closest to what i wanted to talk about but if u guys think it should be moved let me know, i considered honeypot and firewall as well as IDS discussions but i figured this was the most relevant. anyway, on to this network

first ill describe what i want to be able to do. Im learning programming and network security so id like to be able to deploy applications and services i write and design onto machines (both server and client computers) on a multitude of OS's. I would also like to simulate real world security holes, exploits, viri, and other security related issues in my network. I would like to have it easily managed from one computer with the right authentication throuch multiple services (like my pc using vnc, ssh, and a web page). i also wanted to learn how to use a variety of databases once again on a multitude of os's. last but not least, i would like to at some point be able to access this netwrok from the outside (of my LAN) but probably not right away (maybe 6 months to a year). stemming off of that i would like to put in an IDS and some other detection and monitoring services for study.

so what i have. i have 7 boxes in my basement of various qualities ranging from 200-800 Mhz, 32 Mb - 1Gb of Ram and 5-20 Gb HD space. obviously the lower end pc's wont do much more then client work and generating bandwidth but at least id like to be able to run some service on them to let me manage them (probably ssh or maybe vnc). i have multiple versions of linux i could install. i have one box that i was told would be great for putting UNIX or DOS on it (its really old and probably wouldnt be good for much else) and it would fulfill some of the multiple OS's desire. the last thing is actually more of a complication then an addition. I have a home network that runs on wireless that i manage for my family (4-5 boxes and network printers on a WRT54GL router). I would like to access all of this (new network in production) from my PC but if i open it up to the outside i dont want to jeopardize the security ive worked so hard to create in my home network.

what im thinking of investing into: im thinking about spending 4000$ or more on hardware and software (more hardware than anything). this probably wont happen for a long time (1-3 years). i still want to have a plan though, so it would be good to know what i want. also, hardware will have changed by then, as well as security issues and the common services used, but id like to have an idea of what i want. thinking about getting windows 2003 server for a domain controller and a few distro's of linux in boxes (more support and generally better than free). hoping to spend only a few hundred on software, definately no more than 500. im thinking of some kind of pc that would act as a gateway (filter out stuff from the outside, run a few services, and lots more) im thinking about spending 500-1000 on this one depending. last but not least i want one beast. as much hard drive, ram, and processor power as i can get for like 3500. use this for most of the management and bigger services. last but not least ill probably spend like a hundred dollars on a gigabit switch (like 8-16 port)

so here are my questions:
1) does this sound reasonable or am i wasting my time/money
2) is there a better way to do what im trying to do (im almost positive this is the way i want to do it)
3) what do u think this will cost?
here are my big questions:
1) how do i keep the home network secure?
a) do i merge them or subnet them?
b) if i merge, do i put them all in the same domain (would make managing home network easier)?

had some other questions but cant remember at the moment so ill add as i remember

any tips or ideas are welcome, thnx

[zencoder]

www.VMWare.com

Buy your monster PC. And make it UBER monster. And then get VMWare Workstation, and you can run as many of these systems as you want, concurrently (depending on hardware specs of the platform system).

[brokencrow]

You're going about it the right way. Lots of computers, lots of different looks for your network, you'll have fun learning the network stuff. You'll find a series of network tools will give you a good idea of what's going on within your network at any given time: ettercap, ethereal, gfi languard, to name a few.

As for compromising security, learn to keep an eye on things and note unusual traffic. The biggest security holes your network can have are already there: users!

[sec_ware]

Hi

My goal is to give an idea of a reasonable home-network architecture
that allows to simulate some real-life environments and that allows
to play around.

I start with the
first three questions.

1) does this sound reasonable or am i wasting my time/money
2) is there a better way to do what im trying to do (im almost positive this is the way i want to do it)
3) what do u think this will cost?

Well, you seem to be quite ambitious, but it sounds reasonable
However, since you have a rough idea of the money you want to spend,
I would now, as a second step, build on paper a specific network
architecture and calculate the costs to make the numbers realistic.
Gather information to do so! Let me give you an example. A typical
architecture

------------------
Internal (some subnet 10.0.0.0/24): AD Server(win2003[1]), DB server(Solaris[2], Oracle[3]), some clients
|
Gateway/Firewall: Smoothwall[4] or WRT54GL(?)
|
DMZ (some subnet 192.168.0.0/24): Web server(FC 4.0)
|
Switch -> IDS (Snort) on spanning port
|
Gateway/Firewall: Smoothwall[4]
|
Internet
------------------


I just put your WRT54GL somewhere (I do not know its functionality). Now, what does this cost?

Software:

Win2003: You can get almost all Microsoft products (e.g. Win2003 Server, XP, Office, ...) in a bundle for about 300$/year
with the action pack including 10 (!) client licenses (Win XP Professional).
Your only obligation is to develop an application that runs on Windows and promote it on your webpage.
Solaris: free
Oracle: free
Smoothwall: free
Fedora: free

Hardware:

A good box for the AD Server and or Solaris/Oracle server: new? about 750$-1500$
Smoothwall-boxes: with the expected traffic, your lowest ones should be sufficient.
Webserver-box: a "medium" one (e.g. 500 Mhz) should be sufficient (Fedora as Server (ie. no X)).
IDS-box: a "medium" one is sufficient
Switch: depends, a few hundred dollars at max
Network-cards: Is a gigabit-ethernet network useful if the clients are connected "wirelessly"? Make your choice.
"Internet-access" (modem, router): free or a few hundred dollars

I get a total of roughly 300$ + 2000$ = 2300$

This is just an example. As you can see, in a lot of cases it is sufficient to re-use your old boxes.


I think, with an architecture as described above, you have everything you need to study penetration testing,
to develop network-application (sockets (tcp,udp,multicast)), to understand multi-tier systems,
to study "single-sign on" processes (very important for real-life projects), to test exploits etc.etc.


Goals?


What are your goals for the future? You mention that you want to deploy applications. In what
context? Fight with SMS[5], or do you want to develop applications in the .NET framework and
enjoy the ClickOnce[6]-Technology, or do you plan to use an application server, build web applications?

I suggest you to focus on something, or at least to keep in mind, that will help you
in the future to get a job


the other questions

1) how do i keep the home network secure?

Check regularly www.antionline.com
As a start, always use non-privileged accounts and keep your DMZ servers very updated, check daily
the usual lists (bugtrack[7], full disclosure[8], ...), etc.etc.

a) do i merge them or subnet them?
b) if i merge, do i put them all in the same domain (would make managing home network easier)?

I would subnet them as given in the above example (just for fun and giggles).
If you run your system in an active directory, check this article to add you linux-boxes in the AD[9];
and/or say thank you to Samba 4.0[10].

Cheers

[1] https://partner.microsoft.com/global...efits/40009856
[2] http://www.sun.com/software/solaris/...es_program.xml
[3] http://www.oracle.com/technology/sof...ase/oracle10g/
[4] http://www.smoothwall.org/get/
[5] http://www.microsoft.com/technet/pro.../smsfpdep.mspx
[6] http://msdn2.microsoft.com/en-us/library/142dbbz4.aspx
[7] http://securityfocus.com/archive/1
[8] https://lists.grok.org.uk/mailman/li...ull-disclosure
[9] http://enterprise.linux.com/enterpri...id=101&tid=100 (not tested)
[10] http://www.samba.org/samba/

[alleyCat]

Originally posted here by zencoder
www.VMWare.com

... get VMWare Workstation...

Or better yet get VMWare Server. Yes thats right, its free!

[stonee]

You might want to consider buying some books. One of them that might be hepful for you is Secure Architectures with OpenBSD with something like this: Network Security Architectures.

This will probably save you a lot of time digging around the internet.

[Godsrock37]

wow, thnx for all the help guys, especially sec-ware. i have a good idea of what i think im going to do. it should be fun, thnx again guys

[Godsrock37]

i know this thread is old but im coming back to it. Ive been reading Linux server security and went over the section on network architecture. So I've got a good idea of what i want it to look like but ive got a few questions. First let me tell you my idea

ive included web page that you can look at

the questions i have are thus:
1) will the external firewall have to be a switch or a router or can it just be a firewall?
2) does it have to have its own subnet (im assuming it has its own ip, will that ip be on the DMZ subnet or its own)?
3) how much will it cost and where should i get it?

i did a little research and i cant find anything thats just a firewall, i looked at smoothwall but id rather not have to turn a box into a firewall. if i can find a stand alone firewall id be pretty happy and i think that would be a perfect architecture for me.

let me know what u guys think and if u have any suggestions let me know

[brokencrow]

First, a router will be, in effect, a firewall. A rather simple one compared to a Smoothie or IP Cop, but nonetheless a firewall. A switch is no firewall at all. Your computers will be pulling their ip's from your isp and will be fully exposed to the web instead of being behind a firewall/router.

A router will act as a DHCP server and assign ip addresses to your local computers on the LAN. A Smoothwall, the same again. If you use a Smoothwall, you will need a switch or a hub.

I ran a Smoothie for over a year and learned a great deal about networking and security doing it, more than I ever did using a router. I now use IP Cop. It's very similar to Smoothwall. Both have more advanced features than a router, particularly logging. The advantage to a router is simplicity.

p.s. -- Let me add, your older PCs are ideally suited to running a Smoothwall. My Smoothie was a 200 mhz Pentium I with 64 mb ram and a 2 gb hdd. The IP Cop I currently use is a Dell PII with 128 mb ram and maybe a 6 gb hdd. You'll need two-three nics to run a linux gateway as such.

[Godsrock37]

brokencrow,
when i asked if the external firewall had to be a router or a switch or could it be a stand alone firewall, i meant, could it be stand alone or are all firewalls composite devices (i.e. managed switch (do these have firewall options, i would think they would but have not had experience with them), router, box with smooth wall). Actually now that i think about it, im pretty sure that i've seen just stand alone firewalls but i could be wrong, nope, sonicwall is an example of one. so yes i understand routers act as DHCP servers and usually include a firewall while most switches do not and that if i dont have a DHCP server in front of my devices they will pull ips from my ISP and they will be largely unprotected (hence the external firewall, old wireless router with switch capabilities and wireless turned off, and the multiple routers behind).

when you said

A router will act as a DHCP server and assign ip addresses to your local computers on the LAN. A Smoothwall, the same again.

did u mean that smoothwall will actually act as a DCHP server? Does smoothwall/ipcop offer application layer firewall services, stateful inspection, or packet filtering or a combination of the three?

my question still remains,
how will the external firewall interact with my internal network? does it need its own internal ip? its own subnet? or can it use the same subnet as the DMZ? now that im thinking about it if i put a smoothwall box as external would it be acceptable for it to have one NIC with the external ip address (given by ISP) and the other NIC to have a static ip that i assign to it and it connect to the old wireless router/switch for the DMZ?

if that would work (which as im thinking about it now i think it would) i think that would be the best solution
thnx for all the help