Network Topology Planning

Discussion in 'privacy technology' started by armor_me, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. armor_me

    armor_me Registered Member

    Joined:
    Mar 15, 2012
    Posts:
    2
    Location:
    USA
    INTRODUCTION:
    I'm in the beginning stages of planning a network at my home and want to run my initial plans past the Wilder's community to get your valuable input on the current design plans for my network topology...

    NETWORK REQURIEMENTS:
    1) Running a secure business website with a database and e-commerce. The majority of e-commerce processing (and PCI compliance requirements) will be outsourced to a third party gateway processor. No sensitive customer data will be stored on my servers.
    2) Personal Internet access for me and my family.
    3) I want the business website part to be as secure as possible within the scope of a limited budget. If the business ever takes off, the web and database servers will be moved to a more professional installation / co-location.

    MY ORIGINAL PLANS:
    Originally, I was thinking of employing a DMZ using a three-legged firewall with the business and personal family computers on the same network, behind the firewall and the web server in the DMZ.

    An IT friend I talked to about this did not like this plan because of what he saw as a possibility where a family laptop could get a virus and then the virus would have back access to my business web server in the DMZ.

    MY CURRENT PLANS:
    So, my current plan involves creating two subnets behind a managed network security appliance (Maybe SonicWALL TZ100 ?).
    -- The first subnet would be for business with the web server in the DMZ and the database server and development servers behind the firewall.
    -- The second subnet would be for personal / family use. This will include family Internet access, and network access for media files, etc.

    MY QUESTIONS:
    1) For a small business website with e-commerce and all sensitive customer data stored off site with a different company, does this proposed network topology sound adequate? If not, can you suggest any affordable improvements?

    2) I have a networked Brother Laser printer that I would like to be able to print to from both the business and the family subnets. What's the best way to set things up so that the printer can be accessed from both subnets without creating an unnecessary security risk? (Or would it be better just to buy a second printer?)

    3) I have one workstation that I would like to be able to access both networks with. Would the best (cheap, easy, safe, & secure) way to set this up? With two networks cards in the workstation? Would this create an unnecessary security risk? Or maybe just by manually switching network cables on the back of the workstation when I want to switch networks?

    Many thanks ahead of time!

    :D
     
    Last edited: Mar 15, 2012
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Before we get to the security aspects, did you check with your local ISP to determine if they allow for their customers to run servers? Most only allow limited connectivity and if you do not have the proper internet plan your customers will not be able to access the web service.

    I actually don’t see anything wrong with your original plan, your 3-legged firewall architecture, while rule intensive, would be an economic solution for a home office running a cable modem or PPP connection. I understand where your IT friend is coming from, however you will inherit some risk no matter what set up you choose.

    Your second plan I have some concerns with. Though need a little more information what exactly are you going to be using for the two subnet networks hardware wise?

    Additionally I advise to harden your webserver since it will be in the DMZ. Disable unused services, patch, and monitor it constantly. (An IDS/IPS would work here too)

    To answer your main questions:

    1) See above I need a little more information from you to really answer that question.

    2) Unless the printer supports such a feat (multiple network interfaces), if your goal is to keep both networks mutually exclusive then yes a second printer would probably be needed and the path of least complexity.

    3) Does this computer need to be connected at all times with both LANs? If yes then you are correct it would pose a risk, however if the purpose is just to switch back and forth between LAN1 and LAN2, you should be fine with jumping between the networks.
     
    Last edited: Mar 16, 2012
  3. armor_me

    armor_me Registered Member

    Joined:
    Mar 15, 2012
    Posts:
    2
    Location:
    USA
    Hi, EncrypteedBytes. Thanks for your help!

    To answer your comments/questions one at a time...

    I have a Comcast Business Cable plan at home with a fixed IP address. I'm already running three small websites without any problems (no e-commerce). The current setup is actually similar to plan number one that I listed above with the web server in the DMZ (no IDS). I'm currently building a more professional server room setup and building new servers and plan to re-work the network setup with an emphasis on security and disaster recovery.

    Thanks. I still like the original plan too.

    I'm not quite sure what hardware I would use to create/manage the two subnets either. For the main firewall/IDS, I was thinking of using the SonicWALL TZ-100. I'm not sure if the TZ-100 can also handle setting up multiple subnets. I like the TZ-100 because of it's price point, it's features, and because it's highly recommended. If I had to spend a lot more additional money to setup two subnets, then it might not be worth it to me.

    Agreed. Thanks.

    Perfect. Thanks.

    For #2, I agree that a second printer would probably be best. (I didn't even think of that idea until I was writing up the original post).

    For #3... thanks. With the two different networks way of doing things, business and home, it sounds like the best option would be just to keep everything separate. If I went that route, I could just have two separate workstations in my home office: one for my personal network and one for my business network.

    Thanks again for all your help. Now I need to do some more research on the TZ-100 to find out if it can create the separate subnets and do a decent job of managing it.

    In the end, I think simplicity might be end up being the best route. Keep with the original 3-legged DMZ plan, but use rules so only certain computers inside the private network can access the web server in the DMZ.
     
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I don't think you can accomplish what you want with what you have listed at the moment in terms of subnetting. I can't speak for your Sonic device, you may be able to configure it as a gateway, however I have not used the device personally. This was my initial concern as simply adding another subnet correctly would require additional hardware overhead. If you do not have a L3 routing device capable of such a feat alone you will either need to purchase a switch that supports VLANs, so you can have two logical networks via the one physical switch, or you need to have two separate switches altogether. The two separate switches would then be connected to the firewall on separate NICs, but the firewall doesn't route between the two subnets only between the subnets and the Internet. I'd probably go the VLAN route.

    For a SOHO this seems very complex though if you want this kind of subnet topology for your servers this gives a high level overview.
     
Loading...
Thread Status:
Not open for further replies.