3/16/2024 0 Comments Sophos home premium 4.0.1I designed the entire solution from scratch. This solution was extremely complex and took significant time to design and fully implement. The solution had hard taps through-out with Snort IDS rules configured at different levels of sensitivity. The beauty of this solution was employees that VPN'ed into the network were filtered. That they somehow left turned on at work. But why bother trying to mess with that if you already have VNC running on the network administrator’s laptop. In theory VNC would make it look like you where there. You actually had to be on certain computers with certain user accounts. It had specialized management computers connected and was not accessible if you VPN’ed into the network. KVM: To administer anything, you had to connect to a special KVM. You could try but it simply did not work. You simply could not get there from anywhere. We used public addresses on it and black-holed those addresses at the forward most facing switch as well as the internal network. No one outside this network was allowed to communicate with DMZ-M1 as it was the management DMZ. This is also where URL filtering took place.ĭMZ-M1 - All devices management ports where in this DMZ. Of course, the second layers all converged onto the third layer, via dead zones, of protection which were maintained by a Checkpiont firewall. This is what the authentications went through which means these devices ultimately had to talk to AD servers. Which then allowed access to the HTTPS device with a three-phase authentication.ĭMZ-EA was the location of the RSA and other employee authentication services. However, to get to the Juniper HTTPS VPN the second level Juniper firewall did a radius for the computers based on domain and computer group membership via TSL certificate we generated. The Juniper Firewall device was another second layer for employee access with DMZ-W2 and DMZ-EA.ĭMZ-W2 as stated prior was the location of the VPN Devices be that Cisco device for vendor tunnels and IPSEC (replaced by https) or Juniper with HTTPS. The A1b was allowed to communicate inbound and not outbound while A1a was allowed out-bout and not inbound. This was later broken down creating A1a and A1b. It consisted of servers like ADAM, WSUS, DNS, middleware, application SMTP relays, etc. These applications would cause security issues if in DMZ-W1. While the PIX had access to the DMZ-W2 it was restricted to tunnels from specific vendors ending at the Cisco ASA.ĭMZ-A1 was for applications related to DMZ-W1. All vendor-based LAN to LAN VPN tunnels went through the Cisco ASA VPN device. All the basic HTTP servers plugged into this DMZ.ĭMZ-W2 was the VPN solutions. This is where the Coyote load balancer was located as well. The Cisco PIX was the main entry for internet customers DMZ-W1 and vendor access DMZ-W2 as well as External applications communications DMZ-A1a.ĭMZ-W1 was the home of the front most customer facing web servers. That was all they did some routing as all firewalls. The second layer of defense was split between Cisco PIX and later a Juniper Networks device. It connected to our network via a copper to the PIX. I figure it is safe now 20 some years later. I was never required to tell the auditors what it was and never did. It had penetration testers asking us what it was for years. Extensive ACL's and security configuration made it a downright bulletproof solution. I locked it down tights as I possibly could. It was a layer 4 switch from Extreme Networks that was specifically designed to be an external facing BGP router. Two for Customer access, one for employee VPN access and one for management of the external facing solution. Then it when from there.įorward most facing Layer 1 devices were fiber optic Ethernet switches running BGP. It all got very complicated:ĭesigned then partially managed the implementation and support of multiple working DMZ's. Starting with the PIX 509 that was upgraded to a 520. It was difficult to explain you can't do something that they are already doing. It was different back then people were put in charge of or allowed to do stuff they didn't understand. So those computers could use the internet. At one point people used to just put public IP's on computers inside the networks. Maybe you could talk them into a proxy device, but defiantly not a firewall. You had to configure a router or put a box and configure IPChains. In the beginning you could not talk a company into purchasing a firewall.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |