Find Vulnerabilites in this Network Drawing

Hello Guys,

Can you find out any vulnerabilities given the network drawing. Also if you find any pls suggest ways to alleviate the prob.

http://www.geocities.com/pvkkishorereddy/Source/network.JPG

Thanx

I'm just saying/guessing anything here so don't mind me!!! Dunno nothing about security but here's what I'd guess...

If someone on the internet manages to crash (or block) your router with a DoS attack ALL your computers will be deprived from the internet. Including your corperate web server. (Which I'm assumming is very bad.)

So a switch between the internet and the router, connect another router to it with only the server on that one.


This is testing myself... so don't be doing anything yet!

Proper design would not have the web server in the same ip subnet as the corporate network. Actual recommended configuration is router then the web server then a router then the corporate network. Routers would be different brands so if one was compromised the 2nd isn't easy to do. Big corporations are at a three tiered router configuration.

Thanx for the replies guys. Keep em coming

Heh... lucky guess... I wasn't so far off!

I can not believe no one pointed out the most obvious there is NO FIREWALL in your drawing!!!!! Also you never have your unprotected internet router connecting internal private LANs or WANs!!!!! almost all (99%) large and small clients I have use only cisco routersthe thing is you put the core router connecting the WANs/VLANs behind the firewall!!!!!

look you got an "F" for security hehe!!!!

internet
|
router
|
Firewall (IDS, Anti spoofing, NAT/PAT) -> DMZ with webserver
|
Virus protection/anti spam/content filtering
|
Router to LAN1 and LAN2 or switch using inter VLAN routing
|
PCs and servers


side note...



they still would not have internet as you only have one ISP and one internet router that is being DoS attacked!!! your design however would allow the two seprate LANs to keep talking to each other!!!

You get a "C" hehe



Very good you created a DMZ kinda. however you forgot the firewall!!! you get a "C+" hehe (in the future most implamentations have a seperate firewall that will have 3 interfaces one is the outside to internet router, the other is the DMZ, and the other is the link to the inside network all limititing access through ASA or ACLs to reach one another)

Im thinking wanderer2 will hate me some day but he should know by now I like to be a smart ^&* but mean well.

So I was doing this for a grade!?! Oh &@$%#!!

And here I just thought I was helping someone with the basics in dealing with their homework. Have to leave the teacher a few surprises don't we?

Did I forget to mention the 2nd "router" had PIX? :-) Absolutely right about the multiple interfaces.

And yes you are a smart b$$ but that makes me feel right at home :-)