Network Topography Help Please
 

Afternoon All,

After some advice please.

Attached is a partial diagram of a network comprising:

4 x Laptop
1 x File Server
1 x Backup Server
4 X Attack Lab Machines
2 x Test Lab Machines

In addition there is an ADSL modem which provides Internet access, and you can assume that I have as many hubs/switches and additional machines as may be required to make this work.

The network is effectively split into 2 halves. The laptops on the left-hand side (LHS) need to have full access to the Internet, and must be able to access the file server and the shares that are on it. Additionally it should be possible to re-image the laptops from the backup server if required, but they do not routinely need access to the files on it. The file server should have access to the backup server, to facilitate backups....ummm....der.....:dozey:

In addition to this, the laptops all require access to the four 'Attack lab' machines on the right-hand side (RHS) of the network. The 'Attack lab' machines will be built (and rebuilt) on an ad-hoc basis, using various operating systems. The purpose of this is to allow the users of the laptops to explore the vulnerabilities on those 'Attack lab' machines, learn how to exploit them, and then learn how to patch them. It may be necessary to pull images from the backup server occasionally, but this can be done via CD/DVD transfer if required. The four 'Attack lab' machines require some access to the Internet for the purpose of applying patches, but if this can be done manually then that's probably better.
It can be assumed that the users can be trusted not to trash each others laptops, although a mechanism for preventing any 'accidents' might not be a bad idea ;)

The two 'Test lab' machines will be used for examining malicious code/virii and for studying its effects on various operating systems. They should preferably have access to the Internet for the purposes of downloading patches, but if there is a manual way of accomplishing this then they could be completely stand-alone from everything else.

The constraints as I see them are:

1. The whole of the RHS of the diagram should ideally be completely segregated from the Internet. We have 6 unpatched and highly vulnerable machines there which oculd easily be taken over/subverted if there was an easy channel to them from the outside world.

2. The laptops *need* Internet access, and also *need* access to the RHS of the network. They also *need* to be able to share files with each other via the file server.

3. Nothing from the RHS of the network should be able to 'write' to anything on the LHS. That is, any exploits used/malicious code being studied should not be able to affect any part of the LHS.

Now, I could manage any single part of this. networking half a dozen machines together is simplicity in itself. What I can't work out is how to accomplish what I'm after above. It seems that I effectively need two different networks, but that they should be connected somehow.

Am I over complicating this? Is there a better way to do it? Can I accomplish what I'm trying to do above, or should I just have two physically distinct networks, and manually change cables to change the laptops between the two? If I segregate the 6 machines on the RHS and stop them accessing the Internet, how do I manage patches etc when I need/want to?

Is this post too long (probably!)

Any and all advice gratefully received. I'm sure there's a simple way of accomplishing this, I just can't see it.

BTW - I'd appreciate it if we could keep this purely to a discussion about the network topography itself, not about what it will be used for/why as that discussion could very easily start to drift into areas that are against the Ts and Cs of CF. Suffice to say though that the network is fully under my control and that of my employers, and that I have full authority to implement it as described above :)

Re: Network Topography Help Please
 

I suppose what I need to know is:

What should go in the gap at the top of the diagram between the modem, LHS, and RHS?

Do I need some sort of switch/hub there, or do I need to rethink from scratch on this one?

Cheers :)

---------- Post added at 13:30 ---------- Previous post was at 12:58 ----------

Forgot to say, I've got the diagram in Visio as well if anybody wants that so that they can have a go at editing/moving things around.

Cheers.

Re: Network Topography Help Please
 

Raistlin,

Bridge the two networks with a firewall, untrusted side facing the RHS so that apart from any exceptions you add connection requests have to come from the LHS.

I presume that LHS has security of its' own so connecting the internet to LHS trusted side is ok.

A 'nix box with 3 network cards would be pretty good at this, could split the network into internet, RHS and LHS and control traffic between the zones accordingly.

Re: Network Topography Help Please
 

Freesco should provide you with a flexible solution with which to bridge and control your network segments.

http://www.freesco.org/index.php?id=o

hth

Re: Network Topography Help Please
 

Ok, so..........assuming that much of the stuff on the Freesco front page might as well be in Greek... :)

I take it that the Freesco box sits between the LHS and RHS of the network, and is also connected to the Internet, and that I then tell it what traffic is allowed to flow and between where? Or is that too simplified.

This is where my knowledge starts to fall short, working with single segments I can handle, but I've never had any experience of 'bridging' multiple networks before.

Thanks :)

Re: Network Topography Help Please
 

If you don't have any experience with ipfwadm you'll have a fair bit of reading up and experimenting to do. If your not confident with the idea of managing your routing and access using a linux based product your other option would be to use ISA server on the wintel side of the fence.

In very simple terms you will be bridging your networks with a PC or server containing at least 2 network interfaces: one each for the left and right hand side of the network as you envisage it with switches and/or hubs hanging off each interface as appropriate. Bear in mind that your design choices will have a direct impact on your DHCP/DNS strategy if implemented.

Re: Network Topography Help Please
 

What switches are you using, and are you up-to-speed with regards configuring them, e.g. having your 2 groups of machines in separate VLANs and configuring them accordingly?

Re: Network Topography Help Please
 

They're all 3Com switches, and no I'm not up to speed on configuring them - this is the first time I've tried to put together anything this complicated.

I was hoping to get some idea on what needs to be done and then go away and learn the necessary. I'm starting to get that sinking feeling in the pit of my stomach that tells me that this really isn't going to be as simple as I had hoped it would :(

---------- Post added at 14:38 ---------- Previous post was at 14:36 ----------

Wasn't planning on a DHCP/DNS strategy, was hoping to use fixed IPs as that removes a lot of other complications.

I think you're right though, this is going to be way out of my league for a while - trouble is that I really have to do it, I can see some serious learning and head-banging ahead :(

Thanks though. :tu:

Re: Network Topography Help Please
 

Can't you just do two vlans?

Re: Network Topography Help Please
 

It's undoubtedly what you would do in practice. In this case, for simplicity's sake, I would say having a physically segmented network gives you a more tangible handle on how to manage access and visualising how everything bolts together. Just my 2p worth.

Re: Network Topography Help Please
 

Looks like 2 physically seperate networks might be the way to go with this one then.

Thanks guys.