Best network configuration
I would like to get advise of the experts regarding how I should setup my network.
We have 500 desktops running XP. 15 server running server 2003, one exchange server running exchange 2003 and ftp, one applications server, one data server, one cell phone server. 1 Barracuda firewall. 25 switches connecting to a core switch. One PIX firewall and then a 10mpbs optiman circuit for our internet connection. No routers.
We also have a wireless network with approximately 15 wireless switches and 100 wireless access points.
We also have two other locations connecting to the main locations using a point to point. They share services from the main location.
I would like to create a secure network that is reliable.
We have 500 desktops running XP. 15 server running server 2003, one exchange server running exchange 2003 and ftp, one applications server, one data server, one cell phone server. 1 Barracuda firewall. 25 switches connecting to a core switch. One PIX firewall and then a 10mpbs optiman circuit for our internet connection. No routers.
We also have a wireless network with approximately 15 wireless switches and 100 wireless access points.
We also have two other locations connecting to the main locations using a point to point. They share services from the main location.
I would like to create a secure network that is reliable.
The only thing I suggest is to get a router or do vlans in a layer3 switching environment and move all your servers into their own subnet/vlan. That'll give you a means of controlling the traffic hitting the servers.
or depending on the barracuda model you could DMZ it (I think - not sure on the barracuda)
Please determine 'Secure'. Are you just viewing this from the point of perimeter security ie the points where the trusted networks interface with the untrusted networks such as the Internet?
Are you also looking at internal security ie protecting against people plugging in devices internally when they shouldn't etc?
What are the parameters to your question?
Thaks
Keith
Are you also looking at internal security ie protecting against people plugging in devices internally when they shouldn't etc?
What are the parameters to your question?
Thaks
Keith
ASKER
2 dc's and a sap server. No one caught the ftp problem???
I see no FTP problem :) we just configure it, but Keith is the expert here, listen to what he has to say
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok.. Good questions.
I would like fully secured perimeter AND full security of the network. Routers in both remote locations maintained by WAN provider.
Wireless is not locked down to MAC addresses.
The remote office access the internet through the main location via the point to point.
There is no IT security policy (or I would follow it Smile). I would be creating a security policy by implementing some actual security on this network. With that I would like to enforce a most often applied approach.
Yes the FTP issue is that ftp is on the exchange server using the 2nd NIC ip address with external ip translated to ip via pix.
My thinking: Upgrade pix to ASA firewall, actually two of them for redundancy. Then put a router in (instead of routing via the pix)... then set up some DMZ's to segregate segments.... then VLAN's. Also set up an ip scheme such as wireless is on 10.x.x.x... corporate is on 172.x.x.x remote locations are on 192.168.2.x.
I would like fully secured perimeter AND full security of the network. Routers in both remote locations maintained by WAN provider.
Wireless is not locked down to MAC addresses.
The remote office access the internet through the main location via the point to point.
There is no IT security policy (or I would follow it Smile). I would be creating a security policy by implementing some actual security on this network. With that I would like to enforce a most often applied approach.
Yes the FTP issue is that ftp is on the exchange server using the 2nd NIC ip address with external ip translated to ip via pix.
My thinking: Upgrade pix to ASA firewall, actually two of them for redundancy. Then put a router in (instead of routing via the pix)... then set up some DMZ's to segregate segments.... then VLAN's. Also set up an ip scheme such as wireless is on 10.x.x.x... corporate is on 172.x.x.x remote locations are on 192.168.2.x.
Thanks :)
Pix - - - - - - - - - - - - - - -Pix (Point to Point)
|
Barracuda (spam)
|
|
Switch
| | |
Server/DC Server/DC Exchange
you can see where all the other servers would sit, there isnt much to the setup, PIX is first point of security, barracuda handles exahcnge spam for all sites (assuming only one exchange box serves the sites). Pix controls secure VPN tunnels and everything else sits behind the Pix firewall