Isolating network interface - Security

This is a discussion on Isolating network interface - Security ; The data center in charge of our network has a rule against dual-homed systems on the network. Apparently this can be used to bypass the firewall. However, I think I have a situation where it is necessary and the risk ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Isolating network interface

  1. Isolating network interface

    The data center in charge of our network has a rule against dual-homed
    systems on the network. Apparently this can be used to bypass the
    firewall. However, I think I have a situation where it is necessary
    and the risk is negligible but I just thought I'd ask the experts
    first.

    Two firewalls, we will call them public and private
    Two networks, also public and private.

    The local server has three interfaces and is on the public network
    behind the public firewall.

    eth0 -> public (192.x.x.x)
    eth1-> backup network (172.16.x.x)
    eth2-> backend local switch (10.0.0.x)

    The server that we need to access is on the private network behind the
    private firewall.

    eth0 -> private
    eth1 -> backup network

    We don't want to have to go out and back in because this causes too
    much performance degradation.

    I propose that we add an interface to the remote server, making it:

    eth0 -> private
    eth1 -> backup network
    eth2 -> our back-end network.

    What I need to know is that this can be secured. That, solely from a
    security standpoint, I would be justified in proposing this solution.

    Thanks,

    -Mark

  2. Re: Isolating network interface

    On May 5, 7:30 pm, markfaine wrote:
    > The data center in charge of our network has a rule against dual-homed
    > systems on the network.


    Which network?

    > Apparently this can be used to bypass the
    > firewall. However, I think I have a situation where it is necessary
    > and the risk is negligible but I just thought I'd ask the experts
    > first.
    >
    > Two firewalls, we will call them public and private
    > Two networks, also public and private.
    >
    > The local server has three interfaces and is on the public network
    > behind the public firewall.
    >


    So it's already triple-homed in contravention of the security policy?

    > eth0 -> public (192.x.x.x)
    > eth1-> backup network (172.16.x.x)
    > eth2-> backend local switch (10.0.0.x)
    >


    WTF is backup network? And why do you a seperate physical *and* ip
    subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
    failover?
    'Back-end local switch' is this another network?

    > The server that we need to access is on the private network behind the
    > private firewall.
    >


    They can't talk to each other if they're both acting as servers - I
    assume you mean that the previous box acts as a client?

    > eth0 -> private
    > eth1 -> backup network
    >


    Is this the same backup network as the previous box or a back up for
    the private network?

    From your initial description your network looks like this:

    [public network: [PublicServer-client]--->[Public_firewall]]

    [Private network [RemoteServer]-->[PrivateFirewall]]

    [backend local switch [PublicServer]]

    [backup public network [PublicServer]]

    [backup private network [RemoteServer]]


    You don't say how these networks are connected.

    > We don't want to have to go out and back in because this causes too
    > much performance degradation.
    >


    Which implies that there is some connection there (and yet another
    network called 'out').

    [out]

    (2 hosts, 6 networks!)

    > I propose that we add an interface to the remote server, making it:
    >
    > eth0 -> private
    > eth1 -> backup network
    > eth2 -> our back-end network.
    >
    > What I need to know is that this can be secured. That, solely from a
    > security standpoint, I would be justified in proposing this solution.
    >


    I've totally lost track of how many networks there are and how they
    are currently connected. But if your proposal is valid you don't need
    another NIC, real or virtual - just a route. I suppose it might be
    more appropriate to create a tunnel initiated at the server end of the
    connection you really want to create. But without a clear view of how
    your networks are configured currrently and the functionality/policy
    on the firewalls its impossible to say.

    C.

  3. Re: Isolating network interface

    On May 6, 8:07 am, "C." wrote:
    > On May 5, 7:30 pm, markfaine wrote:
    >
    > > The data center in charge of our network has a rule against dual-homed
    > > systems on the network.

    >
    > Which network?
    >
    > > Apparently this can be used to bypass the
    > > firewall. However, I think I have a situation where it is necessary
    > > and the risk is negligible but I just thought I'd ask the experts
    > > first.

    >
    > > Two firewalls, we will call them public and private
    > > Two networks, also public and private.

    >
    > > The local server has three interfaces and is on the public network
    > > behind the public firewall.

    >
    > So it's already triple-homed in contravention of the security policy?
    >
    > > eth0 -> public (192.x.x.x)
    > > eth1-> backup network (172.16.x.x)
    > > eth2-> backend local switch (10.0.0.x)

    >
    > WTF is backup network? And why do you a seperate physical *and* ip
    > subnet for backup? Never heard of bonded interfaces? NetRAIN? Router
    > failover?
    > 'Back-end local switch' is this another network?
    >
    > > The server that we need to access is on the private network behind the
    > > private firewall.

    >
    > They can't talk to each other if they're both acting as servers - I
    > assume you mean that the previous box acts as a client?
    >
    > > eth0 -> private
    > > eth1 -> backup network

    >
    > Is this the same backup network as the previous box or a back up for
    > the private network?
    >
    > From your initial description your network looks like this:
    >
    > [public network: [PublicServer-client]--->[Public_firewall]]
    >
    > [Private network [RemoteServer]-->[PrivateFirewall]]
    >
    > [backend local switch [PublicServer]]
    >
    > [backup public network [PublicServer]]
    >
    > [backup private network [RemoteServer]]
    >
    > You don't say how these networks are connected.
    >
    > > We don't want to have to go out and back in because this causes too
    > > much performance degradation.

    >
    > Which implies that there is some connection there (and yet another
    > network called 'out').
    >
    > [out]
    >
    > (2 hosts, 6 networks!)
    >
    > > I propose that we add an interface to the remote server, making it:

    >
    > > eth0 -> private
    > > eth1 -> backup network
    > > eth2 -> our back-end network.

    >
    > > What I need to know is that this can be secured. That, solely from a
    > > security standpoint, I would be justified in proposing this solution.

    >
    > I've totally lost track of how many networks there are and how they
    > are currently connected. But if your proposal is valid you don't need
    > another NIC, real or virtual - just a route. I suppose it might be
    > more appropriate to create a tunnel initiated at the server end of the
    > connection you really want to create. But without a clear view of how
    > your networks are configured currrently and the functionality/policy
    > on the firewalls its impossible to say.
    >
    > C.


    Forgive me, I am not a network engineer and didn't post the question
    to be berated for my lack of knowledge of the subject.

    Regardless, I think you have answered my question.

    -Mark

+ Reply to Thread