Score:-1

How should I design my 'public' network of an project?

it flag

I'm thinking about doing some online projects as a Developer/IT Technician, and I have some concerns regarding security.

I'm unable to host my servers locally for my project and I thought why not to host the servers in datacenters using hosters like Hetzner. My plans are also hosting an active directory server on one of these servers and join the others to that domain to have a better management about all my devices (GPO's, Users, Groups, etc.).

But when having an AD DC, I would also need an DNS server. All of those servers which serve an important role for the other servers, but they are exposed to the public with recursive DNS, DDoS opportunities, etc.

My question here is: How should I handle this in security terms? Is there any way to route them correctly/connect them to each other?

To be honest, I'm an IT-Technician in an apprenticeship, and I've got a lot of years left. So this is why I'm asking this question, to get more experience. I just have a few things not hera

sa flag
What are you hosting? Do you really need active directory and so on?
Kuezy avatar
it flag
Yes, I do need it. I have several servers which are hosting different services such as Nextcloud, Moodle, Check MK, etc. which all require LDAP authentication because multiple users use the services on it. In addition to that, I have multiple Linux and Windows servers which need to be accessible by users (RDP) and managing all of my 10+ Servers is almost impossible...
Score:0
us flag

If you want to put domain controllers into remote datacenter, then you should also create site-to-site VPN between your office(s) and remote network in a data center. By no means you should expose domain controllers to the Internet!

That being said, the setup mentioned is pretty much legacy nowadays. Modern way would be to avoid using Active Directory and VPN, and implement device management using cloud-based tools, like Azure Active Directory and Intune (or other MDM instead Intune).

The decision which path to take depends on your budget, current infrastructure and other technical and business requirements

Kuezy avatar
it flag
Using a Site-To-Site/Remote Access VPN sounds like something I need. I'll still have to figure out which service I want to use as my VPN host (OpenVPN, etc.) and also how to connect multiple servers to that VPN, so they all build a network and only those in that network can communicate with each other to prevent having my AD DC exposed to the WAN.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.