7

Currently we have a Linux-based firewall which NAT-ing our public IP address to give internet access to our staff's PCs and a Windows Server 2003 for internal filesharing.

I want to host Redmine/SVN (a bugtracker) internally behind this firewall using a Linux server. This webserver will be accessed by our clients externally so they can post bug reports. This means that I have to open port 80 & 22 at the firewall to give access to the webserver and me to SSH it from home.

However, let's say I'm using password-based SSH for the webserver and somebody cracked it. Does that mean the cracker could ping and access other servers and PCs in the network?

hsym
  • 1,003
  • 3
  • 14
  • 26
  • 2
    Yes, if someone breaks into internal host (Linux server in your post) he would have access to all hosts in private subnet thats NATed. – Hrvoje Špoljar Feb 19 '11 at 14:36

3 Answers3

12

Yes. DMZ solves this problem. You can create DMZ on Linux(separate network) use one more NIC or create VLAN.

In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

dmz

ooshro
  • 11,134
  • 1
  • 32
  • 31
  • 9
    This of course assumes that the link between the machine in the DMZ and the internal network is properly locked down. I realise you probably know this, but I'm adding it because quite a lot of people *don't* seem to know it. You'd be surprised how many people drop a machine in the DMZ and do an "allow all" rule between that and the internal network on the firewall, which is a big fail. – Rob Moir Feb 19 '11 at 14:42
  • Your Linux-based firewall probably can create your DMZ, typically a separate subnet. May use a separate network card but doesn't have to. – Paul Feb 19 '11 at 14:43
5

@ooshro gave a good answer about DMZs, but I want to add there are additional steps you should look at for securing your external access to limit the possibility of your host being compromised.

First, make sure you set up proper firewall rules on the linux bugtracker server. Since it will be publically accessible, you should control access in and out of the machine tightly. Most firewall configurations concentrate on blocking incoming connections from the outside world. That's a good first step, but you should also lock down outgoing connections. For example, if this server doesn't need to ssh to the outside world, there should be a firewall rule blocking that.

Install a minimal set of software packages on the server. Do you really need network utilities like tcpdump or traceroute? Probably not, but they can be invaluable for someone who breaks into your machine.

Take additional steps to secure incoming ssh on the linux server. You should run something like denyhosts to block automated login attempts. If only admin users like yourself are going to access the box via ssh, run your ssh server on a different port to again cut down on automated ssh login attempts.

Don't allow password-only ssh logins to the box, instead require use of pregenerated public/private keypairs. Look into running Google Two Factor Authentication so there's an additional layer of security when you log in.

Phil Hollenback
  • 14,947
  • 4
  • 35
  • 52
  • 1
    +1 for denyhosts. Alternately, fail2ban is a good solution, and can send triggers to your firewall to block the offending source IP address. – Joe Feb 22 '11 at 23:28
0

Additionally to @ooshro's answer. Having everything in one DMZ is also a worry, as if any of those services are compromised, the attacker will have a much easier job to compromise the entire DMZ, which gives a larger platform to try and pass through the firewall.

Rory Alsop
  • 1,184
  • 11
  • 21
  • Could you explain "...gives a larger platform to try and pass through the firewall"? I don't get it. – hsym Feb 23 '11 at 14:18
  • If I just have a webserver compromised, I can try to use its connections to the ackend app or database. If I also have a mail server and a DNS server etc I have more connections available to me to probe for vulnerabilities – Rory Alsop Feb 23 '11 at 14:32