Resolved Using 2 NICs (Int/Ext) on web srv

Forum Mod: Am I posting these in the correct area? I am trying to find some answers for a couple of recent issues that are plaguing me as the sole admin at my employer.

I have multiple web servers in their own domain with 2003Srv R2 Std. I've never seen another network/web server configuration so I have nothing for comparison. Each have 2 nics, internal & external...internal is configured with all LAN IPs except no gateway IP. The external is configured with the public IP information including the LAN IP for DNS/WINS.

Important note?: Using a SonicWall Pro 2040 Std OS, this has allowed us to publish several public web sites, access the same sites from the LAN through the internet using the normal "http://" protocol, and also, with a domain trust relationship, we have been able to browse the web servers from our LAN using Windows Explorer, just as you would any other share on the LAN.

We just purchased an NSA2400 SonicWall Enhanced OS. It has been more than crazy spending a lot of time trying to implement this appliance. I finally installed it & got the LAN part set fine where everything except DMZ was working. I spent 3 1/2 hours on phone with Tech Sppt to have them tell me that I can no longer use the internal/external NICs together? When I did, we couldn't hit the public site from our LAN, but we could browse to the server using the LAN. If I disabled the internal NIC, then I could access our public site from the LAN, but couldn't access the server through the LAN. aaarrrrrggghhh.....so confusing!

It worked with the previous firewall being able to use 2 NICs & access the web servers sitting in the DMZ from the LAN. I am still waiting on a call back from SonicWall & wanted to post here too in the hopes of getting some answers.

Can anyone tell me if it was a "fluke" that we had been using 2 NICs as described? Please, by all means, chime in with any thoughts or ideas I may have inherited this whole network, but it's more mine than it was ever anyone's that worked on it before & it's been quite a learning process to make it better.

 

In some ways, your set up is reminiscent of the classic way to secure web servers. That was to use two firewall, an internal and an external one. The web server would sit between the two, with an internal NIC connected to the internal LAN via the internal firewall, and an external NIC connected to the internet through the external firewall.

The key thing is to make sure that there is no direct connection (one that doesn't go through a firewall) between the web server and internal LAN. Otherwise, a hacker compromising your web server, gets full access to the LAN. So what you should NOT do is connect the internal NIC directly to your LAN. That would "work" but compromise the security of the LAN.

I'd suggest you try the following:

Move DNS/WINS settings to the internal NIC

The other thing I think you will need to do is make sure that the internal NIC on the web servers uses a different subnet to your LAN. The firewall is a router and therefore all IP addresses need to be routable over the firewall.

So if your LAN in using 192.168.0.0/24 and your web servers internal address also use this subnet (eg. 192.168.0.1), you'll have problem connecting to them. However, if they use a different subnet (e.g. 192.168.10.0/24), you can set up a static route on the firewall to route all traffic to that subnet, to the DMZ. Personally I'd use total separate subnets. For example 10.0.0.0/16 from the LAN and 192.168.0.0/24 for the web servers.

BTW, no problem with you posting this in the server forum. The network forum was another alternative, but this one will do.

 

Thank you soooo much for responding! I understand what you are saying & there have been various issues with this system for years. It has taken me a while to figure out some of these things, but I'm getting there.

There has now been a huge change to my web servers and using the new SonicWall, NSA2400 Enhanced. I spend 5 hrs on the phone with them last night...8pm - 1:30am this morning!

They set it up to do what I think is 1-1 Nat. The 2 web servers are still each on their own domain & have private IP 192.168.10.0 range now while our LAN has 192.168.0.0. The "internal" nic has been disabled and the "external" nic no longer has the public IP addresses assisgned, it's only on the firewall now. It handles all the routing from the public IP request to the correct server & then back.

I have asked them several questions along the way to getting this all accomplished, but the end results haven't been quite the same as their answer. :/ Thank you for your patience concerning my term usage and knowledge while I try to explain.

Regardless of right or wrong, these 2 servers and the LAN were connected years ago within an NT domain in such a way that the web servers had 2 nics, external (inside DMZ) & internal (connected to LAN) & a domain trust. They served up web sites as well as allowed "normal" access via windows explorer, like any typically shared client on the LAN.

There have been programs built that depend on normal file access from one server to the other, which can't happen with current setup. Sonicwall tells me that if I demote these web servers & change their private IP so they can be joined to our LAN domain, that they can still serve up the sites and be accessed "normally" using windows explorer, not ftp or webdav.

Please tell me if this is also a huge security risk/no-no & then I can tell the pres here that we are going to have to deal with it. If it can happen and isn't something that would take me buying you airfare to come do it for me, then please share.

There are times when I just want to beat this stuff up with a nice sledge-hammer.

 

If it were me, I'd buy a second firewall, or a router that had some firewall/port blocking facilities. Then get yourself a copy of this book:

Building Internet Firewalls
Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman
ISBN: 1565928717

It is out of print but as you can see from the link above, you can still get a hold of a copy. It is a splendid book and goes into depth about how to set up firewalls in just the way you need.

 

Did a bit of research on the book & purchased a copy, thank you!

I will have to consider the 2nd firewall option, given my working environment. Anyway, in the meantime, Sonicwall says there can be a solution that will work securely by demoting the web server & joining it back to the domain with a private IP within our LAN range.

I just can't take classes fast enough to learn or keep up with some of this stuff! Thank you again!

 

I bought that book! I haven't read anything in it yet, but I have it! LOL

Our new firewall is NSA2400 Enhanced whereas our other was Pro2040 Std. I can tell you that Enhanced OS is very different, but I'm beginning to love it.

I have demoted the 2 web site domains, deactivated the 2nd NIC, gave them a private IP, then joined them to the domain as regular servers. Within the firewall I no longer have an actual DMZ as I knew it before, it's all handled with NAT now. The firewall has been set to know that when someone requests the public IP and it hits our area, it then routes it where it needs to go, etc. It's the same with VNC...

While this may be common knowledge to some, it was a very bright light in what was becoming a dim world. I hope this helps someone!