Solved

Network Design Help

Posted on 2004-10-04
13
381 Views
Last Modified: 2010-04-10
I need some help with our network design.  We are a small company with 1 office and < 30 employees.  We have 5 sales guys in 2 states and we are getting ready to install a FIREWALL/VPN appliance to allow them access to our network.  I have some questions however about network design in general.  

Here is a diagram of how we would like to set our network up.

www.tsppumps.com/network.pdf

Ok listed here in RED are my main questions.

We will have to boxes on the inside of the firewall which will act as our "application" and "file" servers.  
--------------------------------------------------------------------------------------------------------------------------
192.168.1.1
will run our PDC, DHCP, Active Directory, and all of our accounting files, sales files, and applications.
--------------------------------------------------------------------------------------------------------------------------
192.168.1.2
will be our file server for storage, run our nightly Veritas backups, and run our Virus Scan Mgt. application.
--------------------------------------------------------------------------------------------------------------------------
192.168.1.3
will be our wireless device

What do I need to assign our wireless IP Addresses as???  Assign them a segment of the 192.168.1.x or should they be 192.168.x.x???

If 192.168.x.x then how to I make them communicate with the 192.168.1.x segment of our network?
--------------------------------------------------------------------------------------------------------------------------
VPN Clients should have what IP address???  Again (from above) should they be a segment of the 192.168.1.x addresses or should they also be 192.168.x.x???
--------------------------------------------------------------------------------------------------------------------------
We would like to run an Exchange Server also.  Currently our web/email is being hosted 3rd party.  Would like to leave the web hosted 3rd party but run Exchange in house.  Can I do this?  Do I have to setup a DNS server or can the 3rd party just point email to my Exchange server?  We would rather not have our webserver in house (eliminating the DMZ Question on the PDF).
--------------------------------------------------------------------------------------------------------------------------
Finally, which appliance would be best to do all this?  I have looked at the Cisco Pix 506e and the Watchguard X500.  Any other suggestions or advice?
--------------------------------------------------------------------------------------------------------------------------

Thanks for all your help and please let me know if I can be more specific about anything.

r2
0
Comment
Question by:r270ba
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 10

Expert Comment

by:ngravatt
ID: 12218110
i would put the wireless devices on a seperate VLAN.  Then you can setup firewall or router ACL rules to ensure security.  so go with the 192.168.2.x option.
depending on what switching/router devices you are using.  I would suggest cisco.  Then you computers on seperate VLANs will be able to communicate with each other.

for the VPN clients.  I would also give them IP addresses from a seperate VLAN.  192.168.3.x

About Exchange.  yes run it in house and then have your 3rd party email host act as a relay, or not.  Web services and mail services are two completely different things.  You will need a public IP address and MX record for your exchange server though.

Cisco PIx
0
 

Author Comment

by:r270ba
ID: 12218186
Yea I know that the web and mail are different but I have my DNS pointing to my 3rd party servers, which I do not have control over...so I wasn't sure if they would relay my mail.....Could you explain a little more about VLANS???  

Our boarder router is provided by our ISP who provides our T1.  I do not have direct control over it but they will do whatever I ask them to to the router.  We have 5 public IP addresses  allocated to us (none are in use now).  The only other networking appliance would be the firewall.  We have 2 switches: 1 Dell 16 port Gigabit switch and then a generic 10/100 24 port switch.  

Also we will not use the DMZ if I can run the Exchange in house and use my 3rd party host as a relay.  
0
 

Author Comment

by:r270ba
ID: 12218198
Oh yea and thanks for the extremely prompt response!!!!  I submitted the question...ran to class...opened up my laptop and checked to make sure my linky I posted worked and bam...you had already responsed!!!!  Thanks!!!

r2
0
 
LVL 3

Assisted Solution

by:jacauc
jacauc earned 250 total points
ID: 12218267
Wow... quite a big question here...

Ok let me see...


>> What do I need to assign our wireless IP Addresses as???  Assign them a segment of the 192.168.1.x or should they be 192.168.x.x???
--For this, i don't see why they can not also be on the 192.168.1.0 network... maybe in the 192.168.1.50 to 192.169.1.100 range or something

>>If 192.168.x.x then how to I make them communicate with the 192.168.1.x segment of our network?
-- (see above) but well, to answer this question anyways: this can be done very easily by a router or multihomed PC with a static route.  Is the wireless gateway device not a router anyways?


>>VPN Clients should have what IP address???  Again (from above) should they be a segment of the 192.168.1.x addresses or should they also be 192.168.x.x???
--Same thing here... i'd suggest putting them on 192.168.1.0 network too... maybe 192.168.1.101 to 192.168.1.150 range


>>We would like to run an Exchange Server also.  Currently our web/email is being hosted 3rd party.  Would like to leave the web hosted 3rd party but run Exchange in house.  Can I do this?  Do I have to setup a DNS server or can the 3rd party just point email to my Exchange server?  We would rather not have our webserver in house (eliminating the DMZ Question on the PDF).
--Yes, you can run the exchange in house to host mail for your domain... You will likely need to have a DNS server to do this though.. (for outgoing mail i'd guess it must be necessary) ...Your Domain's MX record would have to be changed to point to the Public IP of your gateway, and in turn, your gateway should then port-forward all port25 connections to 192.168.1.10 (or whatever the private ip is for your exchange server)


>>Finally, which appliance would be best to do all this?  I have looked at the Cisco Pix 506e and the Watchguard X500.  Any other suggestions or advice?
--a Cisco PIX should be able to do a good job yes! Pretty expensive though isn't it?


I hope this has some value for you!
Cheers and good luck!
;)
J
0
 
LVL 10

Expert Comment

by:ngravatt
ID: 12218358
sure, yeah, i like EE, you get quick answers from a lot of people.

VLANS (virtual LANS- VLANs allow network administrators to resegment their networks without physically rearranging the devices or network connections.)

so 192.168.1.x and 192.168.2.x are two seperate VLANS.  You will need to check with Dell or the manual to see if you can set up VLANS on that switch.  I would imagine since it is a gigabit switch, that you will be able to do this.  But I doubt you can do this on the generic switch.  VLANS are good idea to provide security and help manage your users.  When your looking at IP addresses, you will be able to tell if it is a wireless user, vpn users, or regular user.  But this is not neccessary.  

You could just setup your Wireless device to assign a certian range of IP address (192.168.1.21 - 192.168.1.50) to the wireless users and another range for the VPN users.  You will need to look at subnet masking to find out what subnet masks to use for each range. (Do a google search for subnet mask)

Use on of our public IP addresses for the exchange server.  Another pubic IP address could be used for the firewall.

'Also we will not use the DMZ if I can run the Exchange in house and use my 3rd party host as a relay.  '
good idea, this will provide additonal secuity

Let me know if you have any other questions.
0
 

Author Comment

by:r270ba
ID: 12218421
So the firewall appliance needs a public IP also?  The boarder router has a public IP already assigned.  And the exchange server will be inside the router but it needs a public IP also?  

I will google VLANS and I have found a site for subnet masking.....

With less than 30 users being either VPN'ed in, wireless, or lan would it make since to just segment the ip ranges instead of using vlans???  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:jacauc
ID: 12218607
Some more thoughts/comments/explanations from me :)

1) VLANS are used to split up a single Network Switch's ports into several subnets
i.e. You can have 2 different subnets on the same switch plugged in right next to each other.

note that VLANS are only available on Managed Switches... Like Cisco's

2) Well, i'm pondering whether the Firewall would be necessary at all, depends on the quality of your border router. It might support some firewalling/Nat/Port FW'ing options anyways.

3) i don't think the Firewall would neccessarily need a public ip though, but then your Router would have to be open on all ports required.

Good luck!
J
0
 

Author Comment

by:r270ba
ID: 12218700
The reason I need the firewall is for the VPN.  We do not wish to purchase a VPN Concentrator from Cisco...would rather have a firewall/vpn appliance

r2
0
 
LVL 10

Accepted Solution

by:
ngravatt earned 250 total points
ID: 12219315
sorry, i forgot you said the exchange server was NOT in the DMZ. so no, it will not need a public IP.

 I guess you will not need a public IP for the firewall either if it sits behind the border router.  

yes, segment one VLAN since you have small number of users.  This seems like the best solution for your small network.  as long as you have fewer than 255 devices.

Firewall/VPN, if plan on staying small, buy a device that combines both.  There is a list of adv/disadvantages to this.
1.  You only have to manage one device, which is easier.
2. If that device fails, you loose both services, firewall and VPN.

way your options and cost.  You will have to live with it.

The concentrator from Cisco is expensive, but it does have a lot of features.  This is usually only useful for large networks or a large number of users.
0
 

Author Comment

by:r270ba
ID: 12219510
Ok I have updated my pdf:

www.tsppumps.com/network.pdf

I decided to segment the 192.168.1.x range...

LAN
192.168.1.100-150

WLAN
192.168.1.151-200

VPN
192.168.1.201-255

We will not have more than 255 connected devices...and if we ever do then it will be time for a major network infrastructure reorg...

I will continue to shop for our hardware appliances that we will use...Thanks for your help.  I am going to split the points evenly with a Grade of A for the both of you.  Thanks for all your help.

Please comment on the pdf from the above link.

Thanks again,

r2
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 12219621
I believe in the KISS method....  Keep It Simple S.....  Sooooo here's my suggestions.  You look like you have a good start.

I would do the following.....  Your network is small and uncomplicated.  Keep it that way.  VLAN's are overkill in my opinion as would a seperate concentrator or overly complicated IP Scheme.  In a crisis, you will want the fastest way to trouble shoot this and having it simple, yet secure will really pay off in the long run.

I always set my gateway to the .1 address.  I put my printers and networking equipment from .10 - .49.  I start my servers at .50 - .69 and then have DHCP hand out addresses from .70 - 254.  If you have 2 DHCP servers, you can split the range so that you have some redundancy in case of failure.  

If you only have 2 servers, I would find an old workstation and make a second Domain Controller.  It will not only take some of the load off the first one which has a lot going on, but will also privide some fault tolerance in the event of the failure of the first DC.

Put your wireless IP Addresses as a different segment, say 192.168.2.x.  Assigning them statically is a little more secure, but DHCP should be fine.

The Wireless Router takes care of the communications between segments.  That's basically what a router is designed for.

For myself, I just allow VPN clients to pull from the same DHCP pool that the internal clients use.  They will all need to be on the same segment when VPNed in to be able to access all the resources and talk to the servers.

I run Exchange in house, behind my firewall.  I just forward port 25 for SMTP and 80 for OWA.  I feel better that it has a little more protection than sticking it out in a DMZ.  Internally your DNS will find the Exchange Server.  Externally, I just use my registrar, in this case Register.com, and have the MX record pointing to the public address on my firewall.  When the mail request comes in it hits the firewall and that redirects it to the private IP behind the firewall.  If you want to keep the old email running, just point it to the public IP of the firewall.

Appliances.....

     Well, I successfully use the Symantec Line for a few networks I've setup.  The Symantec 200 VPN/Firewall Appliance works just great and will be fine with your users.  It is simple to setup, easy to use and works great.  The 200 will run you about $625, but if you go with the 200R it will give you unlimited client VPN connections all for about $830.  Later if you bring up another office or even a home user using any in that line, they will all do Secure gateway to gateway VPN's.
0
 

Author Comment

by:r270ba
ID: 12220079
Thanks for your response...unfortunately I have already assigned the points...So you are saying though that I should have my firewall/vpn appliance set as 192.168.1.1???

Thanks
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 12222856
Networking best practices puts the router address at the first address after the network address.  So, if the Network address is .0, typically the Gateway (Router) goes at .1.

     I would check out your options before implementing the solution you awarded the points too.  I've been doing this for 27 years and utilizing VLANs, etc for such a small network not only complicates your design and administration, but also forces you to use more expensive equipment.  Same with the Cisco.  It's great equipment, but do you have the expertise to set it up with ACL's etc., to make it secure and make it work seemlessly.

     Lastly, a router is used to connect different networks, whether they are both ethernet, wireless, token ring, etc.  If you want real problems, put the same address range on both sides of a router.  You would either need to use seperate subnets on each side or have a device that basically does nothing be be a bridge from the cabled side to the wireless side.  Also, if you are using a border router, you need to IP both sides of it too.   Remember KISS!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now