Thoughts on network segmentation...

Joined
Dec 5, 2003
Messages
517
Please share your thoughts and advice on the following network.

I just inherited a class c network (public IP addresses), split into three segments. The subnets are configured as follows:

x.x.70.0/25 - Server Network
x.x.70.64/25 - VPN Network
x.x.70.128/24 - User Network

This segment of the network is part of a larger class b network. The VPN utilizes public IPs for the purposes of monitoring/logging... setting up a NAT will not work for reasons behind discussion in this post. Further, the gateway is a Fortinet firewall with rules governing traffic between the subnets and the WAN. However, the server network has no rules preventing it from accessing the user network.

Within the server network there are a couple of domain controllers that are host DNS services for internal and external name resolution. That means there is an exception in the firewall to allow incoming DNS requests on the domain controllers. However, no other services on the DCs are exposed to the internet/WAN.

Questions...

1. I would like to have a DMZ, where I can run services available to the public. The servers have been segmented into a separate subnets, however it's my concern that a security breach on one of these services exposes my entire server network. Does this make sense?

2. Given the fact that creating new subnets will require me to change many static IP configurations... is the risk of not having a separate subnet for public-facing services high enough to warrant all the work and effort to do this?

3. If I was to multi-net the network segments... basically running another non-routable (private IP address) network on alongside the public network... will I gain anything from this? In other words, even though I will have some services that are not directly accessible/routable from the internet, however will share a subnet with addresses that are routable, have any benefit in regard to security?

4. Using AD for public/private name resolution. This just doesn't sound right. Is it bad practice to use locally running DNS services for both public/private name resolution? All the clients on the network have public IP addresses... the thought was to use dynamic DNS so that a user can access their computer remotely (remote desktop for example).

5. What recommendations, if any, would you have to improve the overall security posture of this network?
 
first, i assume you mean that you split it into 2x /26 and 1x /25....

for the VPN network, is that the pool for remote users? how many remote users do you have?

1) yes, this does make sense and a DMZ is a very good idea. Because you are limited on IP space, I'd give the DMZ the public network of the current servers and change the servers to private address space (or go to IPv6!!! ;))

2) I can't answer this question for your business, but imho, I think it's absolutely worth it. the security implications are huge, especially if you get a lot of external attacks that try to use resources of the server and cause a DoS. Proxy devices in a DMZ can severely limit your exposure.

3) I'm not sure what you mean by "sharing" a subnet....

4) from a security perspective, DNS is one of the first services that will become a target. always separate internal and external when possible. standard DoD practice is to separate recursive from authoritative.

5) add a DMZ. utilize a whitelist for firewall rules. always assume that 1 service/system is compromised and design your security posture around that concept. (ie. limit collateral damage from any single service/system becoming compromised).
 
Back
Top