Isolating network interface

This is a discussion on Isolating network interface within the Linux Security forums, part of the System Security and Security Related category; The data center in charge of our network has a rule against dual-homed systems on the network. Apparently this ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Isolating network interface

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 1 Week Ago
markfaine
 
Posts: n/a
Default Isolating network interface
The data center in charge of our network has a rule against dual-homed
systems on the network. Apparently this can be used to bypass the
firewall. However, I think I have a situation where it is necessary
and the risk is negligible but I just thought I'd ask the experts
first.

Two firewalls, we will call them public and private
Two networks, also public and private.

The local server has three interfaces and is on the public network
behind the public firewall.

eth0 -> public (192.x.x.x)
eth1-> backup network (172.16.x.x)
eth2-> backend local switch (10.0.0.x)

The server that we need to access is on the private network behind the
private firewall.

eth0 -> private
eth1 -> backup network

We don't want to have to go out and back in because this causes too
much performance degradation.

I propose that we add an interface to the remote server, making it:

eth0 -> private
eth1 -> backup network
eth2 -> our back-end network.

What I need to know is that this can be secured. That, solely from a
security standpoint, I would be justified in proposing this solution.

Thanks,

-Mark
Reply With Quote
  #2 (permalink)  
Old 6 Days Ago
C.
 
Posts: n/a
Default Re: Isolating network interface
On May 5, 7:30 pm, markfaine <mark.fa...@gmail.com> wrote:
> The data center in charge of our network has a rule against dual-homed
> systems on the network.

Which network?

> Apparently this can be used to bypass the
> firewall. However, I think I have a situation where it is necessary
> and the risk is negligible but I just thought I'd ask the experts
> first.
>
> Two firewalls, we will call them public and private
> Two networks, also public and private.
>
> The local server has three interfaces and is on the public network
> behind the public firewall.
>

So it's already triple-homed in contravention of the security policy?

> eth0 -> public (192.x.x.x)
> eth1-> backup network (172.16.x.x)
> eth2-> backend local switch (10.0.0.x)
>

WTF is backup network? And why do you a seperate physical *and* ip
subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
failover?
'Back-end local switch' is this another network?

> The server that we need to access is on the private network behind the
> private firewall.
>

They can't talk to each other if they're both acting as servers - I
assume you mean that the previous box acts as a client?

> eth0 -> private
> eth1 -> backup network
>

Is this the same backup network as the previous box or a back up for
the private network?

From your initial description your network looks like this:

[public network: [PublicServer-client]--->[Public_firewall]]

[Private network [RemoteServer]-->[PrivateFirewall]]

[backend local switch [PublicServer]]

[backup public network [PublicServer]]

[backup private network [RemoteServer]]


You don't say how these networks are connected.

> We don't want to have to go out and back in because this causes too
> much performance degradation.
>

Which implies that there is some connection there (and yet another
network called 'out').

[out]

(2 hosts, 6 networks!)

> I propose that we add an interface to the remote server, making it:
>
> eth0 -> private
> eth1 -> backup network
> eth2 -> our back-end network.
>
> What I need to know is that this can be secured. That, solely from a
> security standpoint, I would be justified in proposing this solution.
>

I've totally lost track of how many networks there are and how they
are currently connected. But if your proposal is valid you don't need
another NIC, real or virtual - just a route. I suppose it might be
more appropriate to create a tunnel initiated at the server end of the
connection you really want to create. But without a clear view of how
your networks are configured currrently and the functionality/policy
on the firewalls its impossible to say.

C.
Reply With Quote
  #3 (permalink)  
Old 6 Days Ago
markfaine
 
Posts: n/a
Default Re: Isolating network interface
On May 6, 8:07 am, "C." <colin.mckin...@gmail.com> wrote:
> On May 5, 7:30 pm, markfaine <mark.fa...@gmail.com> wrote:
>
> > The data center in charge of our network has a rule against dual-homed
> > systems on the network.
>
> Which network?
>
> > Apparently this can be used to bypass the
> > firewall. However, I think I have a situation where it is necessary
> > and the risk is negligible but I just thought I'd ask the experts
> > first.
>
> > Two firewalls, we will call them public and private
> > Two networks, also public and private.
>
> > The local server has three interfaces and is on the public network
> > behind the public firewall.
>
> So it's already triple-homed in contravention of the security policy?
>
> > eth0 -> public (192.x.x.x)
> > eth1-> backup network (172.16.x.x)
> > eth2-> backend local switch (10.0.0.x)
>
> WTF is backup network? And why do you a seperate physical *and* ip
> subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
> failover?
> 'Back-end local switch' is this another network?
>
> > The server that we need to access is on the private network behind the
> > private firewall.
>
> They can't talk to each other if they're both acting as servers - I
> assume you mean that the previous box acts as a client?
>
> > eth0 -> private
> > eth1 -> backup network
>
> Is this the same backup network as the previous box or a back up for
> the private network?
>
> From your initial description your network looks like this:
>
> [public network: [PublicServer-client]--->[Public_firewall]]
>
> [Private network [RemoteServer]-->[PrivateFirewall]]
>
> [backend local switch [PublicServer]]
>
> [backup public network [PublicServer]]
>
> [backup private network [RemoteServer]]
>
> You don't say how these networks are connected.
>
> > We don't want to have to go out and back in because this causes too
> > much performance degradation.
>
> Which implies that there is some connection there (and yet another
> network called 'out').
>
> [out]
>
> (2 hosts, 6 networks!)
>
> > I propose that we add an interface to the remote server, making it:
>
> > eth0 -> private
> > eth1 -> backup network
> > eth2 -> our back-end network.
>
> > What I need to know is that this can be secured. That, solely from a
> > security standpoint, I would be justified in proposing this solution.
>
> I've totally lost track of how many networks there are and how they
> are currently connected. But if your proposal is valid you don't need
> another NIC, real or virtual - just a route. I suppose it might be
> more appropriate to create a tunnel initiated at the server end of the
> connection you really want to create. But without a clear view of how
> your networks are configured currrently and the functionality/policy
> on the firewalls its impossible to say.
>
> C.

Forgive me, I am not a network engineer and didn't post the question
to be berated for my lack of knowledge of the subject.

Regardless, I think you have answered my question.

-Mark
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:36 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0