Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Mittwoch, 1. Oktober 2014

[Guide] Network layout

the week started to be a silent one.

A little guidance

When it comes to network design, there are different architectures which are preferred. I would alway recommend to do a 2 Layer Setup. In this case two network components spread a DMZ for services.

Now you are able to split the traffic. Normally you place any external service machines within the external network. Any backend machine within the internal network.

Backend traffic now needs to go through the second network component Normally this machine would do basic (static) routing between networks and would have some basic firewall rules.

In another step we might add some firewalls to these layout. Like ddos prevention systems next to our external router and am application firewall to the external network.

The ddos protection should just protect our firewalls. So, if we compare ddos protection to  a firewall (like pfsense hardware firewall) we would be able to handle 8.000.000 packages as the firewall is stateful. Stateful means that every packages which goes through it is saved in an internal table. A ddos attack can easily reach more then this package count, so it would kill our firewall first. So dropping all ddos attacks in a first step does always lead to a solid system.
Please keep in mind the the routing components which separates the networks already do basic firewalling. They should always deny traffic from outside to internal and the should really take care of the traffic, so for example no external service machine should be able to interact with every internal machine, the external machine should only communicate with there dedicated internal machines.

The application firewall is just for service protection.
We are able to filter xss attacks to http/https or do malware checking within the email traffic.