# smart network architecture for SOHO?



## m4rtin (Mar 11, 2009)

is this fallowing network architecture smart for SOHO environment(rather small budget, but security is important):







mail server and ftp/http servers are separated for security reasons. Any suggestions? Or some other improvements? :stud


----------



## m4rtin (Mar 11, 2009)

or is the fallowing architecture technically better:






Any comments?


----------



## trev (Mar 11, 2009)

What is your Internet source? XDSL, ISDN, Cable?

(and I'd probably use OpenBSD in place of FreeBSD in this situation where the machine's main function appears to be as a firewall, although it's really dependent on the answer to my question above.)


----------



## SirDice (Mar 11, 2009)

The first one is a lot better. Imagine what happens if your ftp/web server gets hacked. In the second your attacker will be on the LAN. On the first it'll be confined to the ftp/web server.

Of course you will need to make sure there's no traffic possible from the ftp/web server back into your LAN (firewall it).


----------



## m4rtin (Mar 11, 2009)

trev said:
			
		

> What is your Internet source? XDSL, ISDN, Cable?
> 
> (and I'd probably use OpenBSD in place of FreeBSD in this situation where the machine's main function appears to be as a firewall, although it's really dependent on the answer to my question above.)



my internet source is ADSL. Using OpenBSD instead of FreeBSD is a good idea. I made some improvements(have one physical machine instead of two, but using jails the security level should remain equal):






Is this network architecture technically good? Is jails capable to achieve that?


----------



## m4rtin (Mar 11, 2009)

SirDice said:
			
		

> The first one is a lot better. Imagine what happens if your ftp/web server gets hacked. In the second your attacker will be on the LAN. On the first it'll be confined to the ftp/web server.


that is why I used VLAN's on second architecture


----------



## SirDice (Mar 11, 2009)

Don't use VLANs for security, it's not what they're meant for. They're to improve network performance nothing more.


----------



## trev (Mar 11, 2009)

If the ADSL modem is in fact a router (simple bridges are very rare these days), and it has a decent ICSA-compliant firewall (eg Siemens Speedstream 4200), then I'm not sure the OpenBSD machine achieves anything and could be reassigned as your missing second machine or dropped altogether.

You could run up firewalls on the other machines for defence in depth if you're really paranoid... I'm assuming you would only be forwarding SMTP, HTTP, FTP ports via the router. I believe it's much rarer to find an ADSL router compromised, than a machine with a complete operating system.

ADSL router -> Switch -> LAN machines


----------



## phoenix (Mar 11, 2009)

You definitely want to use a separate firewall box ... I've yet to see even a commercial-grade ADSL "modem" that included a usable packet filter implementation, including logging facilities.  *BSD+PF/IPFW gives you a lot more control, audit capabilities, and troubleshooting tools.

Either the first layout (multiple interfaces on firewall, separate DMZ and LAN) or the third layout (firewall + jail system) are good.  Don't use the second layout (using vlans on switch for security).


----------



## osx-addict (Mar 11, 2009)

Hmm.. You've got me thinking.. I've got a Cisco 1841 ISR that works as my firewall using the IOS software and my setup is similar to drawing #3 above but change the ADSL modem to a cable modem and swap out the OpenBSD box with the above mentioned Cisco router.  The big difference today is that the cisco router has only 2 ports -- one to the cable modem (Internet side) and one to my internal (SOHO) network... I'm thinking that if I got a plug-in card for the Cisco (HWIC card) to add a 2nd internal port, I could effectively do what drawing #3 is trying to do and keep the mail/web traffic segregated from the other pieces of our internal home network..  The hard part is getting the 2nd port (big $$) unless I find a scrap router to part out...Hmm..


----------



## honk (Mar 11, 2009)

In my opinion it doesn't matter if you use layout one or two. Of course if you have enough physical interfaces, then there is no reason not to use it. But we are talking about a SOHO setup here in days were companies in financial businesses use virtualisation wherever they can (public web-server, backend-DB and internal systems on the same ESX-box in the worst case, yes that's reality! *g*...). Maybe it depends on the type of vlan-switch you are going to use. Maybe the cheap ones today still misbehave when flooding the mac-table and fall into "hub-mode" regardless of any configured vlans, but I don't expect this anymore (anyone with practical experiences here? would be interesting!). What can happen if someone breaks your ftp server? He doesn't even know that he resides inside a vlan on the same switch as other (internal) vlans if the switch-configuration is done properly (no protocols enabled like VTP, CDP if it's a Cisco to avoid exposing such informations; switch should be managed out-of-band...blabla). We don't talk about a switch >>without<< vlan-separation (vlan-tagging on all servers only is not meant here from my understanding!), so no trunks expect for the firewall (and if the fw is compromised e.g. because of a vulnerable VPN-service the attacker can reach all your boxes). I also don't see multiple switches connected with trunks for vlan-double-encapsulation attacks, which might be abused (still today(?!) for unidirectional(!) packet injection. That's just my humble opinion. These security with vlan-separation related discussions often are from philosophic nature.

But I would avoid using a jail to separate (public) http/ftp-servers from other servers (like mail, or later a DB?!...) if you have important/personal content in the latter. Jails are great (and definitely better than having all services on one host-system) but not perfect at the moment and you have to configure and maintain(!) some things to make it secure (have seen too many jails without proper devfs-rules the last weeks). What do you think about using IDS/IPS like snort? I'm going to setup snort next time, I think this could be more interesting and helpful than talking about vlan-security, firewall and vpn only.



> I believe it's much rarer to find an ADSL router compromised, than a machine with a complete operating system



This might be true for a lousy administrated server.  Have no numbers here, but I would not trust a 50$ DSL-router where the vendor took an (today) outdated Linux kernel and provides almost no updates for (kernel) vulnerabilities...

cheers,
honk:beer


----------



## osx-addict (Mar 11, 2009)

honk said:
			
		

> But I would avoid using a jail to separate (public) http/ftp-servers from other servers (like mail, or later a DB?!...) if you have important/personal content in the latter. Jails are great (and definitely better than having all services on one host-system) but not perfect at the moment and you have to configure and maintain(!) some things to make it secure *(have seen too many jails without proper devfs-rules the last weeks)*.



Are these cases where the rules are unchanged from the defaults?  Just curious.. I've got one jail running (for mail) but will be adding another 2-3 of them in the coming weeks.


----------

