Designing the Network Topology to Include Web and Mail Services

Before you use ASDM to add a web and mail server to your topology, you need to make the following decisions regarding the architecture:

• Where to logically place the servers relative to the ASA/PIX Security Appliance

• What IP addresses to give the servers on the inside network

• What IP addresses to give the servers on the outside network

• What services are going to be offered on these servers

Logical Placement of the Servers

Logical placement of the servers in your network is a critical decision. It is important to remember that the servers will be hosting data and will be reachable by anyone with Internet connectivity both legitimate users and hackers alike.

You have four options for placement of your new public web servers:

• Connected on the inside network, with the rest of your users

• Connected on the outside network interface of your ASA/PIX Security Appliance

• At the location of your ISP, which would entail paying them to co-locate and secure the servers

• On a dedicated isolated interface of your ASA/PIX Security Appliance (often called a demilitarized zone, DMZ)

You have only two options to seriously consider when deciding where to locate Internet-facing servers. To keep them secure, you should either put them on a separate interface of your ASA/PIX Security Appliance or co-locate them at your Internet service provider (ISP).

If you put the server on the inside interface with the rest of your users, you will have created a substantial security risk and will not have fully deployed defense in depth. Remember that these servers have addresses that can be accessed from the Internet, and any Internet-facing address is a target for outside attacks. If a hacker successfully penetrates the server, the hacker will already be on the inside of your network (which presents an excellent opportunity to attack other hosts also located on the inside of your network).

CAUTION

Even though it's recommended that intrusion prevention software be run on your servers, you still don't want to put your public servers on the inside of your network. It is extremely important to remember that defense in depth, or layered security, is the key to deploying a secure network. Why take the chance of putting a device that can be compromised in a location where it can immediately compromise other devices? Such a setup just makes it easier for hackers to get to all of your network assets and data.

Putting the server on the outside of your ASA/PIX Security Appliance is also asking for trouble, because there would be no perimeter protection between the server and the Internet. This scenario would successfully isolate a hacker from the rest of the network if he did happen to compromise the server. However, the server would still be compromised, and the hacker would have access to all data on the server.

If your web server is just an advertising tool and doesn't contain critical data to your business, this might not be such a big deal. However, even in this scenario, the risk does exist that the hacker can cripple the server and make it unavailable to other Internet users.

For an e-mail server, on the other hand, this could be potentially disastrous. Because most companies use e-mail for confidential data, all this information would be available to a hacker to use as desired.

Letting your ISP host your servers is a viable option. However, there are both pros and cons to this scenario. The downsides are as follows:

• The cost may be high.

• The servers will not be physically at your location, which limits your troubleshooting capabilities.

• You will manage the servers remotely, which can sometimes be slow depending on available network bandwidth.

• You will not have control over the security of the server's perimeter.

• Managing servers sometimes requires the uploading and downloading of large amounts of data. This can be slow depending on the bandwidth you have to manage the remote servers.

Your ISP might be able to minimize these factors for you. They could provide very high-speed connections for you to manage your data, they could guarantee that someone will be available to do physical troubleshooting, and so on. If you don't have resources to manage your own machines, using an ISP to host and maintain your servers might be the best option.

The last option discussed is the placement of the servers on a separate interface of your ASA/PIX Security Appliance, allowing you to manage your own machines. This allows you to do the following:

• Eliminate the cost charged by ISPs.

• Have physical control over your servers.

• Mange the servers locally.

• Control the security posture of your network and server environment.

• Easily move large files to or from your servers during upgrades and maintenance.

• Control access to your servers using the ASA/PIX Security Appliance.

• Physically separate your servers and your users by having users on one security appliance interface and servers on another interface. This essentially isolates your servers, ensuring that if a hacker does compromise it, he will still need to get through the security appliance to get to your remaining network assets.

If you have decided that having an ISP is the best way for you to deploy Internet servers, there is no need to read the rest of this chapter. However, because you still need to deploy defenses to ensure the security of your network, you should skip to Chapters 7 through 11 and continue using ASDM, ASA/PIX Security Appliance, and host intrusion prevention to complete the secure lockdown of your network.

Defining Inside and Outside Server Addresses

Now that you have decided that the most secure way to proceed is to place the servers on an isolated interface on the ASA/PIX Security Appliance, you need to decide on an addressing scheme. This should not be too difficult; you can follow the precedence set in Chapter 5 and use private addresses.

NOTE

An isolated security appliance interface is often called a DMZ interface. This will be the terminology used throughout this book.

You need to define the following addresses before you configure the ASA/PIX Security Appliance:

• A private inside "network" address of the ASA/PIX Security Appliance DMZ interface where you will place the web and mail servers

• A private inside IP address for the ASA/PIX Security Appliance DMZ interface where you are going to place the servers

• A private inside IP address for each of the new servers

• A public address that Internet users can enter when they access the new servers

Defining a Private "Network" Address on the DMZ

First, you need to define a network address for the DMZ interface. You elected to use the private address of 192.168.1.0, with a subnet mask of 255.255.255.0, for the inside addresses. When you define network addresses, it is important to ensure that different interfaces have completely different addresses than other interfaces; for example, select another private address that isn't the same as any of the inside addresses.

For example purposes, use 192.168.2.0 with a subnet mask of 255.255.255.0.

Defining a Private Address for the Servers

You need to define an address for both the web server and the mail server. The only restrictions are that the address needs to be part of the network address range that you used for the DMZ and that you cannot reuse an existing address. You used 192.168.2.1 for the ASA/PIX interface; therefore, you can use any address in the range between 192.168.2.3 through 192.168.2.254. Keep it simple and use 192.168.2.3 for the web server and 192.168.2.4 for the mail server. The subnet masks need to be the same as the DMZ interface, so use 255.255.255.0. The gateway for these machines will be the DMZ interface of the ASA/PIX Security Appliance, which again is 192.168.2.1. You complete the address configurations later in this chapter.

Defining a Public Address for the Servers

You do not need to make any decisions about defining public Internet addresses. Public addresses are allocated by your ISP. You must contact them and let them know that you will need two public Internet addresses one for your web server and one for your mail server. They allocate addresses that are in the same subnet as your outside ASA/PIX Security Appliance address. In this example, the outside address is 199.199.199.199. (Your outside address will be different, because every publicly addressable device on the Internet needs to have a unique address.)

For the configuration outlined in this book, use 199.199.199.203 for the web server address and 199.199.199.204 for the mail server address.

Defining Services

The next items to decide upon are the services you plan to make available on these two servers. For this example, keep it relatively simple. Use HTTP for the web server and SMTP for the mail server. These are the most common services used for these two types of servers.

HTTP, which stands for Hypertext Transfer Protocol, is the Internet standard that allows users to browse a web server and access web pages.

SMTP, which stands for Simple Mail Transport Protocol, is the Internet standard for exchanging mail messages.

New Topology

Your design is now complete. Table 6-2 provides a summary of the addresses you will be entering in ASDM to configure our new network topology.

Figure 6-2 shows the topology after adding the web and mail servers.

Figure 6-2. New Network Topology