Network Design Ideas

Hi all,

I am doing some work for a medium sized printing company, they currently
have around fifty computers connected to a switches and a network dialup
modem there is also a IIS webserver and SQL Server . My mission should I be
able to come up with the solution is to reconfigure there network to
maximize security as well as provide bet use of resources.

My idea is to install a firewall router with DMZ. (maybe a Cisco Pix 515)
Connect the outside of this router to the internet via a high speed
connection.
Connect the inside of this router to there network switches.
Place a new web server into the DMZ.
on the Inside network I would install a file server and domain controller.

The Web Server will recieve large amounts of PDF files that will be uploaded
by clients. The clients also submit data to the sql database to identify
what they have uploaded via the web site.

The staff will need access to an Intranet system were they will be able to
see the data supplied by the clients and also the files that have been
uploaded.

What I would like is some ideas on how to setup the network and servers.
Some of the things I would like ideas on are:
What ports to leave open on the outside firewall.
What ports to leave open on the inside firewall.
Where to place each of the servers and what they should be. (ie. Member or
Standalone or Domain Controller)
What services each server should run.
Where to place DNS server and how it should be setup.

I am sure there are more things to look into than just those that I have
mentioned. So please supply any ideas that are relivent. I have got about
siz months to have the plans in place. Cost at this time are not overly
important although I do not want to make the job too expensive as this will
only lead to failure.

If anybody wants more information please ask and I will try to provide you
with an answer.

Thank for any help.
Kenneth Keeley

It all sounds fine but I wouldn't use a DMZ if the internal users need file
system access to the server that the public is uploading files to. The DMZ
"cuts off" direct access to DMZ machine from users on both sides of it so
the users on the private side with have to use similar methods (FTP?, HTTP?)
that the public side used to get to the files afterwards.

But I can't stand DMZs and so I am biased against them. I have no problem
with running an "edge firewall" without a DMZ. In the end it is your
choice,...it will depend on how much you want to babysit the thing and the
users.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Kenneth Keeley" <(E-Mail Removed)> wrote in message
news:uYIQm$(E-Mail Removed)...
> Hi all,
>
> I am doing some work for a medium sized printing company, they currently
> have around fifty computers connected to a switches and a network dialup
> modem there is also a IIS webserver and SQL Server . My mission should I
be
> able to come up with the solution is to reconfigure there network to
> maximize security as well as provide bet use of resources.
>
> My idea is to install a firewall router with DMZ. (maybe a Cisco Pix 515)
> Connect the outside of this router to the internet via a high speed
> connection.
> Connect the inside of this router to there network switches.
> Place a new web server into the DMZ.
> on the Inside network I would install a file server and domain controller.
>
> The Web Server will recieve large amounts of PDF files that will be
uploaded
> by clients. The clients also submit data to the sql database to identify
> what they have uploaded via the web site.
>
> The staff will need access to an Intranet system were they will be able to
> see the data supplied by the clients and also the files that have been
> uploaded.
>
> What I would like is some ideas on how to setup the network and servers.
> Some of the things I would like ideas on are:
> What ports to leave open on the outside firewall.
> What ports to leave open on the inside firewall.
> Where to place each of the servers and what they should be. (ie. Member
or
> Standalone or Domain Controller)
> What services each server should run.
> Where to place DNS server and how it should be setup.
>
> I am sure there are more things to look into than just those that I have
> mentioned. So please supply any ideas that are relivent. I have got about
> siz months to have the plans in place. Cost at this time are not overly
> important although I do not want to make the job too expensive as this
will
> only lead to failure.
>
> If anybody wants more information please ask and I will try to provide you
> with an answer.
>
> Thank for any help.
> Kenneth Keeley
>
>

See below for inserts. With Phillips comments you could use port redirection
on the firewall, but the web server should be locked down extra tight and
put on a seperate vlan with ACLs.

"Kenneth Keeley" <(E-Mail Removed)> wrote in message
news:uYIQm$(E-Mail Removed)...
> Hi all,
>
> I am doing some work for a medium sized printing company, they currently
> have around fifty computers connected to a switches and a network dialup
> modem there is also a IIS webserver and SQL Server . My mission should I
be
> able to come up with the solution is to reconfigure there network to
> maximize security as well as provide bet use of resources.
>
> My idea is to install a firewall router with DMZ. (maybe a Cisco Pix 515)
> Connect the outside of this router to the internet via a high speed
> connection.
> Connect the inside of this router to there network switches.
> Place a new web server into the DMZ.
> on the Inside network I would install a file server and domain controller.
>
> The Web Server will recieve large amounts of PDF files that will be
uploaded
> by clients. The clients also submit data to the sql database to identify
> what they have uploaded via the web site.
>
> The staff will need access to an Intranet system were they will be able to
> see the data supplied by the clients and also the files that have been
> uploaded.
>
> What I would like is some ideas on how to setup the network and servers.
> Some of the things I would like ideas on are:
> What ports to leave open on the outside firewall.
port 443 for ssl and have them upload via that

> What ports to leave open on the inside firewall.
same as outside, all data would be encrypted

> Where to place each of the servers and what they should be. (ie. Member
or
> Standalone or Domain Controller)

web server in DMZ, standalone with hisec security policy +/- services you
require. Internal should be domain

> What services each server should run.
Only ones necessary, you'll need to research and test

> Where to place DNS server and how it should be setup.
Integrated AD on internal LAN with forwarding to ISP's DNS. They should be
able to handle your DMZ dns entries, so you will not need a public DNS.

>
> I am sure there are more things to look into than just those that I have
> mentioned. So please supply any ideas that are relivent. I have got about
> siz months to have the plans in place. Cost at this time are not overly
> important although I do not want to make the job too expensive as this
will
> only lead to failure.
>
> If anybody wants more information please ask and I will try to provide you
> with an answer.
>
> Thank for any help.
> Kenneth Keeley
>
>

>What I would like is some ideas on how to setup the network and servers.
>Some of the things I would like ideas on are:
> What ports to leave open on the outside firewall.

Only those you need.

> What ports to leave open on the inside firewall.

Only those you need.

> Where to place each of the servers and what they should be. (ie. Member or
>Standalone or Domain Controller)

You told us how you're going to place them already. The DMZ server
should be a stand alone, no domain. The internal servers should be in
a domain.

> What services each server should run.

Only what they need to run.

> Where to place DNS server and how it should be setup.

Internal on your internal server, external DNS in the DMZ. Internal
forwards to external.

>I am sure there are more things to look into than just those that I have
>mentioned.

A lot more.

>So please supply any ideas that are relivent.

I'm not there, so I can't tell you what's relevant. Just like I can't
tell you what ports need to be open.

>I have got about
>siz months to have the plans in place. Cost at this time are not overly
>important although I do not want to make the job too expensive as this will
>only lead to failure.

Don't know how more money leads to failure, but ensure you have the
budget to do this right.

>If anybody wants more information please ask and I will try to provide you
>with an answer.

You can't do your entire proposal in a newsgroup. When you're stuck,
ask specific questions. For example, you asked what ports to open and
I told you "only those you need." You will have to figure out what
you need on your own, though if you know what you want to do and need
to know the port (and can't find it on Google), then ask about that
service and port. I can't tell if you need FTP access for your files,
SQL access to the DMZ from inside, or even whether you're doing any
email. So there's no way I can say "you need ports 21, 25, 54, 80,
110, 442, 445 and 1455 open." You may not. Or you may need more.
And some will be from LAN to WAN, LAN to DMZ, DMZ to WAN, etc.

Jeff

On Wed, 21 Jul 2004 08:49:24 -0500, "Phillip Windell" <@.> wrote:

>It all sounds fine but I wouldn't use a DMZ if the internal users need file
>system access to the server that the public is uploading files to. The DMZ
>"cuts off" direct access to DMZ machine from users on both sides of it so
>the users on the private side with have to use similar methods (FTP?, HTTP?)
>that the public side used to get to the files afterwards.

That's just plain wrong, and bad advice. DMZ's provide access
restrictions from both sides, and those restrictions can be
appropriately set for the access needed.

>But I can't stand DMZs and so I am biased against them. I have no problem
>with running an "edge firewall" without a DMZ. In the end it is your
>choice,...it will depend on how much you want to babysit the thing and the
>users.

DMZ's are an appropriate use of security, and provide better security
than an edge firewall can. If you're comfortable without one for your
needs, that's fine, but the OP has correctly determined the need and
appropriately decided on siting of the servers.

I suspect your bias against a DMZ is the result of confusion and an
inability to configure one for your needs, possibly as a result of
using a broadband router "DMZ" port instead of a true DMZ.

Jeff

"Jeff Cochran" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> DMZ's are an appropriate use of security, and provide better security
> than an edge firewall can. If you're comfortable without one for your

I'm not saying they aren't appropriate. I'm saying security can be
accomplished without them and I don't like them.

> I suspect your bias against a DMZ is the result of confusion and an
> inability to configure one for your needs, possibly as a result of
> using a broadband router "DMZ" port instead of a true DMZ.

Get real Jeff. I didn't get where I am from not knowing how to build a DMZ.
We've both been in these groups for years and even met at the last Summit.
So you know better than that....so get off it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Hi Jeff,

Thanks for your input, I am trying to develop a good solution, but I
understand that no one answer is always correct. I am however looking for
the ideas. I will have to test each idea to see if they will work.

> > What ports to leave open on the outside firewall.
> Only those you need.
To start with I wish to only allow for In/Out going Email, Internet access
to the Web Site (Http, SSL, File Uploading) out going access to internet web
sites.

> > What ports to leave open on the inside firewall.
> Only those you need.
To start with, only In/Out going Email, access to the Intranet Site (Http,
SSL, File Downloading), out going access to internet web sites

> > What services each server should run.
> Only what they need to run.
Ok. How to install Windows on the Web Server with the smallest amout of
Services, to only allow for the access that I mentioned above.

> Don't know how more money leads to failure, but ensure you have the
> budget to do this right.
By making the cost of the work clean out of the ball park.

> When you're stuck, ask specific questions.
I will try to be more specific with my questions.

Kenneth