Topic: SME/M$/WAN

[grattman]

Howdy all,

I have searched the forums and have been unable to locate the answer...perhaps it does not exist.

My Network

FireWall-------------------
                                    |
                                    V
                       Cisco Catalyst 3550 ----------> WAN
                        |                    |
                        V                   V
                     SME               M$ 2K8
                                LAN


I have embarked on a project that is kicking my a$$. We have implemented a WAN across two Telcos that are providing fiber to 5 locations. The fiber is up and running and I have my Cisco Catalyst 3550 working so I can see everyone else. Additionally, the powers that be are using M$ AD and we will be required to as well.

I have set my SME to server-only and placed a different firewall solution in front of it. Currently, the SME is still handling DNS/DHCP. However, I have to place a Corporate DNS server address in for it to go across the fiber vice out the front door. Is there a way to add more than one Corporate DNS server address entry? It will take one, but I have tried to input two using comma/semi-colon to no avail.

I would like for SME to handle the additional DNS requirments as long as possible and avoid using the M$ server for DNS/DHCP.

Looking forward to your replies.

Thanks,
Grattman

[gzartman]

I have set my SME to server-only and placed a different firewall solution in front of it. Currently, the SME is still handling DNS/DHCP. However, I have to place a Corporate DNS server address in for it to go across the fiber vice out the front door. Is there a way to add more than one Corporate DNS server address entry? It will take one, but I have tried to input two using comma/semi-colon to no avail.

You shouldn't need to set a Corporate DNS unless you have a separate DNS server on your LAN.  Maybe your firewall is preventing SME from doing name queries to the internet.  Make sure SME can get out on port 53 (I believe that's the DNS port -- might want to check that). 

If you access the Server console and run the Internet Connection test, does it come back positive?

SME should function just fine as your DNS server in the situation you describe.

Greg

[grattman]

Greeg,

Thanks for the reply. Yes, the SME Server is capable of reaching the Internet. Currently, the SME server is acting as the DNS server, but fails to have the entries necessary to send requests over the WAN vice out to the WWW for redirection.

The M$ server will in fact become the DNS/DHCP sever in the near future. Main reason being that the governing body also has M$ AD and we will simply be an OU.

Additionally, this year I tried to have my clients all DHCP, but SME is falling short in the fact that sometimes the server is unavailable. I am not deeming SME as the culprit right away, but last year when everything was static, I did not have this problem. I did recently uncover some switches with errant settings as well. I hope this fixes the unavailability issue I had been having.

So...is there a way to add additional DNS entries into SME?

[gzartman]

Additionally, this year I tried to have my clients all DHCP, but SME is falling short in the fact that sometimes the server is unavailable. I am not deeming SME as the culprit right away, but last year when everything was static, I did not have this problem. I did recently uncover some switches with errant settings as well. I hope this fixes the unavailability issue I had been having.

So...is there a way to add additional DNS entries into SME?

I prefer to have the firewall doing DHCP, but suit yourself. 

Have a look at /etc/resolve.conf and the templates that define it:  /etc/e-smith/templates/etc/resolve.conf
You should be a able to list multiple DNS entries here like this:

nameserver IP
nameserver IP
nameserver IP

You'll likely need to create a custom template as the current template will allow only one IP.  An easy way to do this would be:

-mkdir -p /etc/e-smith/template-custom/etc/resolve.conf
-vi /etc/e-smith/templates-custom/resolve.conf/25nameserver
 delete the current contents and add your name servers as I've shown above, one per line
- save the file
- /sbin/e-smith/expand-template /etc/resolve.conf
- service -t /service/tinydns
- service -t /service/dnscache
- service -t /service/dnscache.forwarder

Give that a shot.

Greg

[grattman]

Greg,

Thanks for the direction. I will give that a shot when I am back in the building tomorrow and post back here.

Thansk again,
Brian

[electroman00]

My Network

FireWall-------------------
                                    |
                                    V
                       Cisco Catalyst 3550 ----------> WAN
                        |                    |
                        V                   V
                     SME               M$ 2K8
                                LAN

grattman

Seems I'm at a loss for recognizing the purpose of the firewall in the above.
Or is it possible the drawing is incorrect??

[gzartman]

grattman

Seems I'm at a loss for recognizing the purpose of the firewall in the above.
Or is it possible the drawing is incorrect??

Your schematic is a bit unconventional.  Your firewall isn't doing you any good if it's in front of your WAN.  Are you sure you don't mean this:

                                  WAN
                                     |
                                  Firewall
                                     |
                                 Switch
                                     |
                                  LAN (including servers)
Greg

[electroman00]

I would think something like this would be more appropriate standard with servers and client systems
which is based on basic networking designs.

                                              WAN
                                                |
                             LAN  <->  Firewall <->  DMZ
                              |                               |
                          Switch                       Switch
                              |                               |
                     LAN Clients                      Servers

The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world
(while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death) attacks.

These public servers can also still be accessed from the secure LAN unrestricted.

By default the firewall allows traffic between the WAN and the DMZ server based on port forwarding, while traffic from the DMZ to the LAN is denied
providing protection to the Lan, and traffic from the LAN to the DMZ is allowed providing full LAN client access to the DMZ servers.
Internet users can have access to host servers on the DMZ but no access to the LAN, unless special filter rules allowing access were configured.

Server can be deployed on a Lan providing internal Lan access only

However if Lan servers require external Internet access then a port forward to the Lan would be required which
inevitably and unavoidably creates a network vulnerability.

Normally by default a firewall blocks all external port (0-65,535) requests.

Default firewall config is to block all external port requests, port forwards to the Lan server exposes the server and all clients on the subnet
threw that port forward thus creating a LAN network vulnerability.

The firewall is then no longer configured to block all external requests.

Most all firewalls within the last 5 years maintain a DMZ for servers and equipment that may be required to service external port requests.

A simple but very effective means to protect client systems that may contain sensitive and confidential data while providing external access to servers.

While SME can only be configured on a NAT Lan in server-only-mode, SME can be configured on a DMZ in both server-only and gateway modes
providing additional advantages should a network administrator require them by design.

Setting up servers on a DMZ provides network security, better network versatility and doesn't require inherent network vulnerabilities that a Lan Server unavoidably requires.

A simple and prudent network design Lan & DMZ and it's free.

hth

[grattman]

Greg & Electro,

Valid points indeed. The WAN is not a direct access to the Internet; it only supplies fiber between buildings. At each building, the maintain their own ISP (Comcast, Granite State Telephone, TDS). Each has a firewall in place at the point of entry for their WWW access. I grant you, this does not protect me from an internal attack, but the powers that be said this is the way it should be done.

So I guess my next questions to them, myself and you is: Should I throw a FW inbetween WAN and fa0/48 on my Cisco Router to ensure that my LAN is protected from attacks from within the WAN?

[electroman00]

grattman

I think I understand your setup however it seems there is some confusion.

Your reference to fa0/48 on my Cisco Router indicates a different piece of equipment in place
other then Cisco Catalyst 3550, but it seems you are referencing the same equipment.

The Cisco Catalyst 3550 is a layered switch not a router and because you have an upstream Firewall you
would normally not be able to config a router/firewall inline without special switch configurations and considerations
with regards to the entire system.

The 3550 appears to be setup on a fiber trunk between buildings and one of the trunked switches is connected to
a firewall with WAN access and one switch is in your building.

The 3550 is a layered vlan switch which provides the ability to have virtual lans on each switch allowing multiple isolated subnets on all trunked switches.
A typical vlan switch may provide 24 or more vlans allowing multiple subnets to exist threw each trunked switch.

With vlan switches that are trunked together, all vlans are available on all switches per vlan physical port configuration assignments.

Here's what I think you have without having the exact specifics of the system setup.

Code: [Select]

                                              WAN
                                                |
                                            Firewall
                                                |
                                                |
               Switch1 <-----Fiber Trunk-----> Switch2 <------Fiber Trunk------> Switch3 <------Fiber Trunk------> Switch4
Since all switches are trunked, all vlans are available for assignment to any port on any switch.

That vastly complicates things, so specifics of vlans and switch port assignments must be known.

Without the specifics it's impossible to advise you as to what or how to connect anything.

It is very possible to connect equipment to a port and take the entire network down....bam..!!

You need to confer with your systems admin to configure any equipment on the network.

Connecting a server to the trunked switches can devastate the entire system.

I have 4 vlan switches trunked together on 4gigabit fiber trunk between system racks in one room.

So when I say BAM I mean BAM from experience, I either accidentally connect a cable to the wrong port or make
a switch config mistake (very easy to do) and BAM the entire system is down.

You have the switches in separate buildings and only the system admin knows what vlans are assigned to each switches physical port.

Each port on each switch can be assigned a different vlan (thus subnets).

What I can say is this....

Your looking to have your sys admin create a vlan and assign it to a port/s in your building on your switch.

That vlan should be assigned to the firewalls DMZ.

Under no circumstances should you connect your server onto the LAN segment (lan vlanID-portID)..!!
That would create a lan vulnerability (exposure) to every client system on all clients on a vlan accross all trunked switches.

In other words, all clients are exposed (vulnerable to hack) including any accounting client systems or clients with sensitive data
that are on vlanID#1 for example, across all switches, not just your switch.

Think of all those switch ports on trunked switches as being on one big switch.

Simply put....you need to confer with your system admin closely.

I'm fairly confident I'm guessing your system config correctly from what you have provided to this point.

From what you have said and the Cisco Catalyst 3550 indicates fairly well what things appear to be.

Correct me if I'm wrong in my assumptions, without specific information one can only assume with some accuracy..!

Normally you should not have a problem with (SME) DNS unless you have a special requirement or a network misconfiguration.

Question...Is your sys admin an outside consultant or hired within the company.

hth