civic00typer
Gawd
- Joined
- Dec 5, 2003
- Messages
- 517
Please share your thoughts and advice on the following network.
I just inherited a class c network (public IP addresses), split into three segments. The subnets are configured as follows:
x.x.70.0/25 - Server Network
x.x.70.64/25 - VPN Network
x.x.70.128/24 - User Network
This segment of the network is part of a larger class b network. The VPN utilizes public IPs for the purposes of monitoring/logging... setting up a NAT will not work for reasons behind discussion in this post. Further, the gateway is a Fortinet firewall with rules governing traffic between the subnets and the WAN. However, the server network has no rules preventing it from accessing the user network.
Within the server network there are a couple of domain controllers that are host DNS services for internal and external name resolution. That means there is an exception in the firewall to allow incoming DNS requests on the domain controllers. However, no other services on the DCs are exposed to the internet/WAN.
Questions...
1. I would like to have a DMZ, where I can run services available to the public. The servers have been segmented into a separate subnets, however it's my concern that a security breach on one of these services exposes my entire server network. Does this make sense?
2. Given the fact that creating new subnets will require me to change many static IP configurations... is the risk of not having a separate subnet for public-facing services high enough to warrant all the work and effort to do this?
3. If I was to multi-net the network segments... basically running another non-routable (private IP address) network on alongside the public network... will I gain anything from this? In other words, even though I will have some services that are not directly accessible/routable from the internet, however will share a subnet with addresses that are routable, have any benefit in regard to security?
4. Using AD for public/private name resolution. This just doesn't sound right. Is it bad practice to use locally running DNS services for both public/private name resolution? All the clients on the network have public IP addresses... the thought was to use dynamic DNS so that a user can access their computer remotely (remote desktop for example).
5. What recommendations, if any, would you have to improve the overall security posture of this network?
I just inherited a class c network (public IP addresses), split into three segments. The subnets are configured as follows:
x.x.70.0/25 - Server Network
x.x.70.64/25 - VPN Network
x.x.70.128/24 - User Network
This segment of the network is part of a larger class b network. The VPN utilizes public IPs for the purposes of monitoring/logging... setting up a NAT will not work for reasons behind discussion in this post. Further, the gateway is a Fortinet firewall with rules governing traffic between the subnets and the WAN. However, the server network has no rules preventing it from accessing the user network.
Within the server network there are a couple of domain controllers that are host DNS services for internal and external name resolution. That means there is an exception in the firewall to allow incoming DNS requests on the domain controllers. However, no other services on the DCs are exposed to the internet/WAN.
Questions...
1. I would like to have a DMZ, where I can run services available to the public. The servers have been segmented into a separate subnets, however it's my concern that a security breach on one of these services exposes my entire server network. Does this make sense?
2. Given the fact that creating new subnets will require me to change many static IP configurations... is the risk of not having a separate subnet for public-facing services high enough to warrant all the work and effort to do this?
3. If I was to multi-net the network segments... basically running another non-routable (private IP address) network on alongside the public network... will I gain anything from this? In other words, even though I will have some services that are not directly accessible/routable from the internet, however will share a subnet with addresses that are routable, have any benefit in regard to security?
4. Using AD for public/private name resolution. This just doesn't sound right. Is it bad practice to use locally running DNS services for both public/private name resolution? All the clients on the network have public IP addresses... the thought was to use dynamic DNS so that a user can access their computer remotely (remote desktop for example).
5. What recommendations, if any, would you have to improve the overall security posture of this network?