Secure on the Outside, Open on the Inside
Novell Cool Solutions: Feature
By Sindre Westre
Digg This -
Posted: 8 Nov 2002
Jonathan R. would like to see ways to make an extremely secure network from the Internet with Novell tools but allow freedom with the school intranet. We posed this question to our panel of experts on the School Cool Solutions Advisory Board, and Sindre Westre stepped up with this nice overview. We're guessing school administrators are not the only ones with this requirement...
I would suggest using BorderManager at a dedicated firewall server. This server should have at least three NICs:
- One NIC to route out/in to the Internet. This is your "public" NIC, and is reachable from the Internet.
- One NIC to connect to your internal network (you could add another one if you want to separate the students' and the teachers' networks). This is your "private" NIC.
- One NIC to connect to a DMZ (DeMilitarized Zone). This is your DMZ NIC.
What you Do
- Install BorderManager at the firewall server.
This will set up filters to block traffic to/from your public NIC. This will allow nothing to pass trough your firewall. Fortunately there are automaticly installed some filter exceptions that will allow some inbound/outbound traffic. This will allow your users to browse the Internet from the inside.
- On the server attached to the DMZ NIC, you would install your Intranet.
Some part of this Intranet can be open to the public (your schools website). Other parts will require authentication. Your webserver application (NetWare Enterprise Server or Apache) can control access to specific directories on your server - check out the documentation.
- On the firewall server you run BRDCFG.NLM.
This will apply the default filters and exeptions. This time you choose to apply these filters to your DMZ NIC. You can then delete all the filter exeptions. Now nothing is allowed in or out of the DMZ.
- You then add one exception (at the DMZ NIC) to allow traffic from the Internet (your public NIC) to the webserver in the DMZ only, and only traffic on the port the webserver is listening to (usually port 80). You also apply a similar exception to allow traffic from the internal network (your private NIC) to the webserver in the DMZ, but only at the port the webserver is listening to.
Now traffic is allowed from the Internet to your webserver (and also from the inside). If your webserver is compromised, your internal network is not. (No traffic is allowed from the Internet to your internal network, that not is initiated from the inside. Return traffic is allowed though, like DNS replies etc.).
You will have to add other exceptions in addition to the ones mentioned, but this will give you the idea.
You will want to buy the books of Craig Johnson. He has written two books, that are kind of the "BorderManager Bibles". Setting up a DMZ is explained here, also step-by-step instructions on how to apply the correct filter exeptions. You can find information on these books, and other useful tips at http://nscsysop.hypermart.net/.
- Other solutions are possible too, like the HTTP accelerator (reverse proxy) in BorderManager.
- You can boost security even more with Novell iChain.
- If you use NetWare 6 as your webserver platform, you can include some of the features like iFolder etc. on your intranet.
- Also take a look at eGuide. It makes a great addition to your intranet.
If you have any questions you may contact Sindre at firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com