[ale] slightly OT: network structure

sangell at nan.net sangell at nan.net
Thu Feb 14 07:57:53 EST 2002



IMHO, it sounds to me like you were more on the correct path when you
mentioned the swith and vlan. If you set up a vlan off of a single port on
a managed switch you might have to set up an addition linux (or other)
router but the vlan would totally seclude the 2k box from the other
systems. That would leave only the potential bandwith problems. You could
at the same time set up the router that secludes the 2k box to provide some
form of bandwidth throttling you might check out:

http://ibiblio.org/gferg/ldp/ADSL-Bandwidth-Management-HOWTO/ (I know it
say ADSL but provides useful info)

Also Traffic Shaper may provide what you need. Google Search on Traffic
Shaper produced lots of info.

Hope this helps

(BTW, not all MCSEs are bozos)  ;-)

\_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
\_    Steve Angell,  MCSE, CCNA           _/
\_    MIS Operations Manager               _/
\_    TSYS Debt Management             _/
\_    Norcross, GA                                   _/
\_    Phone 770-409-5570                    _/
\_    Fax      770-416-1752                   _/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


                                                                                                                   
                    <jenn at colormar                                                                                 
                    ia.com>              To:     ale at ale.org                                                       
                                         cc:                                                                       
                    02/13/2002           Subject:     [ale] slightly OT: network structure                         
                    05:05 PM                                                                                       
                                                                                                                   
                                                                                                                   




I've been asked to put a Win2000 box that I will not manage in my cabinet
at
our co-lo facility.  I'm considering putting this box in my DMZ with my
email and DNS servers and I'm wondering if anyone who has managed a
mixed-environment network could help me ensure that, should this machine
run
amok, it won't hurt my other boxen?

I have a linux box acting as a gateway between the co-lo network and my
DMZ.
The DMZ servers all run iptables firewalls, have unnecessary services
turned
off, and are as securely set up as I can make them.  In the DMZ is a
firewall/NAT machine that protects some other servers.  Is this enough to
protect my DMZ machines should the windows box get compromised in some way?

Should I put it on my private network and run NAT for its services?   I've
considered also replacing the initial linux gateway with a cisco or other
brand managed switch, and attempting some sort of vlan, but I'm  not
convinced this would make things better...and be a learning curve to boot.

What do you folks do in a situation like this?  The admin for this machine
has already agreed to follow the NSA guidelines for locking down a windows
machine, and anything else I can find for him.  All help is, as always,
appreciated.

TIA
jenn


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should
be
sent to listmaster at ale dot org.






---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list