Internal/external network architecture how to


(Marcin) #1

Hi, what is the best option to achieve this with nethserver instalations?
Internal nethserver as firewal with AD Domain Controller.
External nethserver with nextcloud and web for external users as a virtual machine (or phisical in the future) placed in orange dmz zone.
The problem is/what to choose
-can’t join internal nethserver (don’t want holes in firewall if not nesesery)
-don’t want to place it inside internal network
-maybe use ldap on external server whithout joining domain
-maybe second AD with only external users
what are Your cons/pros
Thanks for any advice.


(Emiliano Vavassori) #2

I would advice a three machine setup: an internal machine (basically, AD), a firewall (because it should only do firewalling) and an external machine with all the stuff you need on the outside.

I would not consolidate all the services on a single machine, I agree with you, since it will open up your whole infrastructure to a malicious user with a granted privilege escalation.

A viable option can be a virtual infrastructure, which allows you to run all the three machines on a single piece of metal; though you should anyways maintain 3 separate machines (and if you use NS as an hypervisor, well, they become 4).

M2C


(Jeroen Visser) #3

Not sure what your goal is…

I would set the roles you mention up as follows:

server 1: nethserver with ONLY the Samba4 AD role
server 2: nethserver with 3 NIC’s and firewall role
server 3: Nextcloud, joined to Samba AD domain
server 4: Webserver on dmz NIC with reverse proxy for the owncloud server

This way, you can only allow traffic between the webserver and the owncload server, putting it as a layer of security before the owncloud server. The webserver probably doesnt need AD accounts, but even then there is no real threat, as the LDAP connection will be in the background, away from webforms, and read-only anyway. You do not need any open LDAP ports on your WAN side for this.


(Eddie Atherton) #4

Are there any guides or howto’s on how to best setup a server that’s going to sit inside an internal network, behind a firewall (NS or otherwise), as when I very briefly looked at this, there were a number of hurdles I hit. I didn’t go any deeper, as a single NS instance does what I need. (At least today).

Things like the network, as there will probably only be a single NIC, and NS appears to be more geared to multiple NICs. Also, firewalls, as even if you don’t select any of the firewall options from the Software Center, Shorewall is still installed and configured, so you have a firewall blocking access to the server and no way to control it. :grinning:

I’m sure there’s a bunch of other gottcha’s that would be useful to know about when setting up a multi-NS environment.

Cheers.


(Rob Bosch) #5

In my home situation I split the roles over 2 instances of NethServer.

  • one doing Gateway (firewall/proxy/IDS)
  • a second doing ‘the rest’

Maybe a 3rd instance doing only Samba4 AD accountprovider role would be a better option, but since it is a very small environment (only 5 accounts) and just for home use, I didn’t bother to split any further. In a company environment I most probably would have added that 3rd server.

Since I have everything virtualized through ProxMox, all instances are running on the same hardware, which might not be best practice either. In a serious company environment I would go for a 3node setup and using Ceph storage anyways.

There are so many scenario’s thinkable that it is almost impossible to come the THE solution… although defining a few different scenario’s and the possible solutions to those scenario’s would be something that could get a place in our wiki…

Thinking of:

  • home / SoHo use
  • small company with 5 - 15 users
  • medium company with 15 - 50 users
  • medium enterprise with 50 - 200 users
  • large company with 200+ users

Any takers to fill in the blanks?


(Marcin) #6

And how about using OpenLDAP as account management for external services? So no connection to internal AD (I also don’t need AD externaly) but I will still have central user management on dmz. Then I can push any data to dmz servers without unnecessary holes in firewall.
Indeed @robb such HowTo would be great, maybe if I have spare time i will try also write something about this.
Cheers.


(Michael Kicks) #7

@dj_marian at least an idea of the size of this network architecture? How many device clients in lan, how many users?

If hardware (even in Virtual Enviroment) is solid enough as configuration, one NethServer as “one-server-band” is fair enough until 50 user.

Safe and solid sometimes means complicate, but sometimes complication is just overkill. Or a nice feature (update and reboot firewall without stop internal services.


(Marcin) #8

For now under 20 users on lan(AD), and planed 20 users from internet (under 50 in future) maybe LDAP account provider.


(Markus Neuberger) #9

I think it mainly depends on your priority:

If you want security, I recommend a bare-metal accountproviderless firewall. Any additional running service or virtualization is a potential security risk on a firewall. This implies having at least 2 servers: 1 firewall and 1 virtualization host with at least 1 VM.

If you want all in one box you may use the host system as firewall and virtualization to host your internal and external server. A restart of the host will take down all your services including internet. And you’ll have much services on a firewall. Another approach is to virtualize the firewall too.

As already said, if you want flexibility, use more (virtual) servers to split the services.

If you separate the firewall from the internal server most of the problems are gone. If your external/internal users are mostly similar then it would be an ease of management to have just one userbase and let the other server join to it. For flexibility and not having a single point of failure separating the userbases may be a possibility.


(Michael Kicks) #10

With these requirements and projects i think that 1 server/gateway installation should be a nice idea. Even in virtual enviroment.

I partially agree with @mrmarkuz approach (splitted devices for server and firewall), but IMO if you use the same product for firewall and server you have two boxes with the same possible issues.
For instance, if it’s broken or flawed the implementation of Neth-Gui or Shorewall, the firewall will be vulnerable in both installation, and for the server the firewall lays on Green segment… full network access (or something like that, it depends on firewall rules) for the server by the default gateway.
I understand that there will be two different root users with different passwords and anyway the footprint for data leak is reduced, but OTOS using different products reduces far more the footprint (cannot use the same leak for breaking in).

Anyway, as perl says “There’s more than one way to do it”. I hope that a “not bad one” will be choosen :slight_smile:


(Marcin) #11

That’s the point external users are not internal users, so i look at solution with:

  • Nethserver firewall+internal AD
  • vm with external services and LDAP
    the question: is this best option if have in mind that for now there is only one real machine.
    In the future would like to have separate firewal, AD, external server but for now is problematic.

@pike indeed, at the beginning I had few points in mind:

  • one server
  • only internal services
  • not much complicated(didn’t want to put everything inside VM enviroment)
    now i need extra:
  • external users for eg. nextcloud
  • maybe www server in near future

In my case i have only 2 ports opened on 2 services on Nethserver that minimize voulnerability (not counting external services on dmz)
Also on the main machine I need to open some non-standard ports for some connections, here I plan to restrict access on theese ports in one of these ways:

  • on each port access possible only from one specific IP
  • blocking particular port if there where any “knocking” on closed neighbor ports
    Thanks for any discussion that is very valuable. Cheers

(Michael Kicks) #12

But in your project what’s the difference between internal or external users? Not only for where they connect, of course, but as server perspective.


(Markus Neuberger) #13

This is a good option but what about using a Nethserver firewall host with 2 VMs: external and internal server. So you already have the servers you need in future and may use them on your physical machines later and you are able to restart/maintain external or internal server without loosing other functions.


(Marcin) #14

I’m not sure i understand fully the question but:

  • internal user, company employees, access to any data with proper permissions
  • external user, e.g. other company just to download some data or use web

(Marcin) #15

Yes, indeed but the server is already there (in production). So now putting AD into VM would be a bit weird and not as nesesery as it might look like, i think. Also its a dynamic infrastructure so i can’t say what would be needed in next year.
Edit:
The second part of the question without answer, would it be any pros to run another AD in dmz for authentication cloud and www services? Or only LDAP provider which better? Anyone faced such dilema? :wink: Cheers.


(Markus Neuberger) #16

If you need shares with rights use AD, if not use LDAP.

http://docs.nethserver.org/en/v7/accounts.html#choosing-the-right-account-provider


(Michael Kicks) #17

by my perspective there’s no difference between internal and external users. Only different access profile. If you need the SMB share access regulated, you need AD account provider.
Therefore, access profile relies on the platform you want to use for share data.