Networking & Admin
My latest networking project involved upgrading my office LAN so that I could connect from home and abroad. Here is a diagram of how things are setup:
)
The most notable characteristics of the network are probably the VPN, Exchange server and the IPTables based firewall with a DMZ exposing the Apache server.
VPN
The VPN was built using OpenVPN a brilliant open source SSL based VPN solution that allows you to use a single TCP or UDP port for hundreds if not thousands (hardware permitting) of concurrent connections. It is a full VPN solution with the ability to tunnel any ip based protocol over it's virtual Ethernet adapters. It is also very secure with full support for the OpenSSL encryption library.
The reason for using OpenVPN rather than a proprietary system was simply ease of use. Granted IPSec and others are achieving far more versatile interfaces but it still doesn’t compare to the cross platform/cross router compatibility that an SSL based setup affords.
I can literally take my SSL cert with me on my USB key and connect to my VPN from any computer with an internet connection and one exposed port for the OpenVPN client service.
I highly recommend OpenVPN to anyone looking at SSL based VPN solutions. Please be sure to visit the project's website: http://openvpn.sourceforge.net/
Exchange 2003
After the success I had using Exchange 2000 for collaboration and messaging in my first network implementation I decided to go ahead and upgrade to the latest version. This time around I decided to perform a few adjustments to the default Exchange setup to make it fit our needs more closely.
The first thing I did was put Exchange behind the firewall. With all the new worms loose on the internet you realy can't be to careful with your mail servers. This of course led to the problem of not being able to host our own incoming mail server.
The normal solution is to purchase a copy of Microsoft ISA Server and use frontend and backend Exchange servers with ISA server protecting the backend server.
My solution was to point the MX record back to the pop server that comes with our web hosting and to use a special Outlook client on the internal network to download the email from everyone’s pop mailbox every 10 minutes or so. After downloading any new emails it then dumps them into everyone’s respective Exchange inboxes using simple Outlook rules.
This solution allows us to:
- Exchange as our email repository
- Avoid having to setup multiple mail accounts in Outlook
- Avoid having to open an integral part of our network up for attack
For outgoing mail I simply setup exchange to forward all outgoing mail through the hosts SMTP server.
I must say that at first I was very skeptical of the setup and really wondered whether it would work. Now a few months later I can't say that I have had any major problems with it. Aside from the occasional server restart the dedicated Outlook client is very stable and consistently downloads everyone’s email and puts them all in the right place.
So go ahead and shoot me an email more than likely in a few minutes it will be waiting for me in my Exchange 2003 inbox!
Apache DMZ
Rather than give out special access to our internal development servers we decided to put a sacrificial server outside the firewall on a DMZ. This allows our clients to demo and test our projects while limiting any possible malicious attacks to the one server.
There really is nothing too special to be said about this setup except that I was extremely impressed with how well my little IPTables firewall handles all of these tasks.
Here is the recipe:
Take one P2 300mhz machine (you could get away with far slower), add a few 10mb cards you have lying around collecting dust, install your favorite Linux flavor and configure your IPTables. In no time you will have a network appliance capable of handling hundreds of concurrent connections, protecting certain subnets, exposing others and if hardware is tight you could make the machine your VPN, DNS and DHCP servers as well! Just make sure you have enough RAM in that puppy.
What’s Next
I am planning a couple of changes for the next few months including a VPN upgrade and possibly another testing server on the DMZ with VSFTP for clients and others to easily transfer files without needing VPN access.
Check back in the next few months for more details!
